CVE-2026-31585 - Vulnerability Details

- media: vidtv: fix nfeeds state corruption on start_streaming failure

Description

In the Linux kernel, the following vulnerability has been resolved:

media: vidtv: fix nfeeds state corruption on start_streaming failure

syzbot reported a memory leak in vidtv_psi_service_desc_init [1].

When vidtv_start_streaming() fails inside vidtv_start_feed(), the
nfeeds counter is left incremented even though no feed was actually
started. This corrupts the driver state: subsequent start_feed calls
see nfeeds > 1 and skip starting the mux, while stop_feed calls
eventually try to stop a non-existent stream.

This state corruption can also lead to memory leaks, since the mux
and channel resources may be partially allocated during a failed
start_streaming but never cleaned up, as the stop path finds
dvb->streaming == false and returns early.

Fix by decrementing nfeeds back when start_streaming fails, keeping
the counter in sync with the actual number of active feeds.

[1]
BUG: memory leak
unreferenced object 0xffff888145b50820 (size 32):
comm "syz.0.17", pid 6068, jiffies 4294944486
backtrace (crc 90a0c7d4):
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The VIDTV driver in the Linux kernel fails to decrement its nfeeds counter when starting a feed fails, leaving the driver state inconsistent. This state corruption causes the driver to skip starting the mux for subsequent feeds and to incorrectly attempt to stop non‑existent streams. The premature skip also prevents proper cleanup of partially allocated resources, which results in a memory leak. Together these issues can cause unstable media driver behavior and gradual kernel memory consumption growth.

Affected Systems

The vulnerability affects the Linux kernel media subsystem, specifically the vidtv test driver. The CVE lists the generic Linux kernel CPE, and no precise kernel version range is identified. Because the vidtv driver is part of the standard kernel distribution, any Linux kernel that includes this driver without the patch is potentially impacted. There are no vendor–product subtleties beyond the general Linux kernel.

Risk and Exploitability

The flaw manifests as an internal state corruption when a start_streaming call fails. In the Linux kernel this condition can only be triggered by code running with kernel privileges, implying a local attack vector. The CVSS score of 5.5 indicates medium severity, while the low EPSS score (<1%) and absence from the CISA KEV list reflect a low likelihood of exploitation. If an attacker gains the ability to execute kernel code, they could repeatedly trigger start_streaming failures that incrementally increase the nfeeds counter, leading to memory leaks and potential denial of service. This aligns with CWE‑911: Improper Restriction or Removal of Access to a Resource in the Presence of a Failure, as well as CWE‑401: Unreleased Resource. The applied fix decrements the counter on failure, restoring state consistency and preventing resource exhaustion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f90cf6079bf67988f8b1ad1ade70fc89d0080905`	affected	< 17cb7957c979529cc98ff57f7ac331532f1f7c83
`f90cf6079bf67988f8b1ad1ade70fc89d0080905`	affected	< 98c22210aeadce67d9d20059f0dbbd01ba7fdbba
`f90cf6079bf67988f8b1ad1ade70fc89d0080905`	affected	< 25f19e476ab15defe698504212899fdb9f7cd61b
`f90cf6079bf67988f8b1ad1ade70fc89d0080905`	affected	< 83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd
`f90cf6079bf67988f8b1ad1ade70fc89d0080905`	affected	< 4bf95f797edd63c93330eafb6d6e670982344b9b
`f90cf6079bf67988f8b1ad1ade70fc89d0080905`	affected	< a0e5a598fe9a4612b852406b51153b881592aede

Linux

affected

Version	Status	Constraints
`5.10`	affected	—
`0`	unaffected	< 5.10
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f90cf6079bf67988f8b1ad1ade70fc89d0080905,17cb7957c979529cc98ff57f7ac331532f1f7c83)`	affected	code_commit	—
`[f90cf6079bf67988f8b1ad1ade70fc89d0080905,98c22210aeadce67d9d20059f0dbbd01ba7fdbba)`	affected	code_commit	—
`[f90cf6079bf67988f8b1ad1ade70fc89d0080905,25f19e476ab15defe698504212899fdb9f7cd61b)`	affected	code_commit	—
`[f90cf6079bf67988f8b1ad1ade70fc89d0080905,83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd)`	affected	code_commit	—
`[f90cf6079bf67988f8b1ad1ade70fc89d0080905,4bf95f797edd63c93330eafb6d6e670982344b9b)`	affected	code_commit	—
`[f90cf6079bf67988f8b1ad1ade70fc89d0080905,a0e5a598fe9a4612b852406b51153b881592aede)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.10`	affected	generic	—
`[0,5.10)`	unaffected	generic	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the vidtv driver fix, which decrements nfeeds when start_streaming fails, addressing CWE‑911.
If the vidtv driver is not required for your system, disable it through kernel configuration or by unloading the module to avoid the issue.
Monitor kernel logs for repeated vidtv_start_streaming failures or memory leak indicators, and consider rebooting or applying the patch if symptoms persist.

Generated by OpenCVE AI on April 28, 2026 at 23:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83
https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b
https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b
https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd
https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba
https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede
https://lore.kernel.org/linux-cve-announce/2026042413-CVE-2026-31585-b423@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31585
https://www.cve.org/CVERecord?id=CVE-2026-31585

History

Tue, 28 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026042413-CVE-2026-31585-b423@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31585 https://www.cve.org/CVERecord?id=CVE-2026-31585

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix nfeeds state corruption on start_streaming failure syzbot reported a memory leak in vidtv_psi_service_desc_init [1]. When vidtv_start_streaming() fails inside vidtv_start_feed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent start_feed calls see nfeeds > 1 and skip starting the mux, while stop_feed calls eventually try to stop a non-existent stream. This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early. Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds. [1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288 vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83 vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524 vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Title		media: vidtv: fix nfeeds state corruption on start_streaming failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:14.266Z

Updated: 2026-05-11T22:11:38.154Z

Reserved: 2026-03-09T15:48:24.120Z

Link: CVE-2026-31585

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:33.267

Modified: 2026-04-28T20:47:22.620

Link: CVE-2026-31585

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31585 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object