Description
In the Linux kernel, the following vulnerability has been resolved:

media: em28xx: fix use-after-free in em28xx_v4l2_open()

em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,
creating a race with em28xx_v4l2_init()'s error path and
em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct
and set dev->v4l2 to NULL under dev->lock.

This race leads to two issues:
- use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,
since the video_device is embedded in the freed em28xx_v4l2 struct.
- NULL pointer dereference in em28xx_resolution_set() when accessing
v4l2->norm, since dev->v4l2 has been set to NULL.

Fix this by moving the mutex_lock() before the dev->v4l2 read and
adding a NULL check for dev->v4l2 under the lock.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

A race condition in the Linux kernel media driver em28xx allows an attacker to trigger a use‑after‑free and a NULL pointer dereference. The vulnerability occurs when the kernel reads the device’s v4l2 structure without holding the necessary lock, while other code paths may free the structure and null the pointer. This race (CWE‑367) leads to a classic use‑after‑free flaw (CWE‑416). An attacker could exploit this to crash the kernel, leading to a denial‑of‑service condition.

Affected Systems

All Linux kernel installations that include the em28xx media driver are affected. The driver is part of the mainstream kernel source; the exact kernel version numbers are not listed in the CVE data, but any kernel that still contains the pre‑fix code is vulnerable. Users running recent distributions that ship with an unpatched kernel are at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% shows that exploitation is unlikely at the moment. The vulnerability is not listed in the CISA KEV catalog, which means there are no publicly known active exploits. The likely attack vector is local or privileged access to a device managed by the em28xx driver, as the race requires manipulation of the kernel’s v4l2 device interfaces. Without an active exploit, the risk is primarily a potential for kernel panic and service disruption.

Generated by OpenCVE AI on April 28, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the em28xx use‑after‑free fix.
  • If the em28xx driver is not required for your system, disable or remove it to eliminate the attack surface.
  • After applying the update, monitor the system for any kernel crashes or abnormal device behavior.

Generated by OpenCVE AI on April 28, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL. Fix this by moving the mutex_lock() before the dev->v4l2 read and adding a NULL check for dev->v4l2 under the lock.
Title media: em28xx: fix use-after-free in em28xx_v4l2_open()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:35.902Z

Reserved: 2026-03-09T15:48:24.120Z

Link: CVE-2026-31583

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:33.017

Modified: 2026-04-27T20:26:18.650

Link: CVE-2026-31583

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31583 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses