CVE-2026-46011 - Vulnerability Details

- media: mtk-jpeg: fix use-after-free in release path due to uncancelled work

Description

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-jpeg: fix use-after-free in release path due to uncancelled work

The mtk_jpeg_release() function frees the context structure (ctx) without
first cancelling any pending or running work in ctx->jpeg_work. This
creates a race window where the workqueue callback may still be accessing
the context memory after it has been freed.

Race condition:

CPU 0 (release) CPU 1 (workqueue)
---------------- ------------------
close()
mtk_jpeg_release()
mtk_jpegenc_worker()
ctx = work->data
// accessing ctx

kfree(ctx) // freed!
access ctx // UAF!

The work is queued via queue_work() during JPEG encode/decode operations
(via mtk_jpeg_device_run). If the device is closed while work is pending
or running, the work handler will access freed memory.

Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This
ordering is critical: if cancel_work_sync() is called after mutex_lock(),
and the work handler also tries to acquire the same mutex, it would cause
a deadlock.

Note: The open error path does NOT need cancel_work_sync() because
INIT_WORK() only initializes the work structure - it does not schedule
it. Work is only scheduled later during ioctl operations.

Published: 2026-05-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the MediaTek JPEG driver of the Linux kernel where the mtk_jpeg_release() function frees its context structure before canceling any pending work; this results in a use‑after‑free that corrupts kernel memory. The primary impact is local kernel memory corruption that could enable a local attacker to gain elevated privileges or crash the system, reflecting CWE-825 weaknesses.

Affected Systems

The vulnerability resides in the kernel's media subsystem for MediaTek devices, specifically in the mtk_jpeg component. It affects all Linux kernel releases that include this driver and have not yet incorporated the commit that performs cancel_work_sync() before freeing ctx. Vendors listed by the CNA are Linux:Linux, meaning any Linux distribution whose kernel contains this driver may be vulnerable. Exact version ranges are not disclosed, but any system that has not applied the patch referenced in the provided commit logs remains affected.

Risk and Exploitability

The CVSS score of 7.8 denotes high severity, yet the EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. Based on the description, the attack vector requires local access and the ability to open the JPEG device; an attacker would need to initiate an encode or decode operation, then close the device while work is pending. Because the work runs in the kernel, the threat is limited to privileged or local users that have access to the device file. If successful, the attacker could trigger a kernel panic or achieve privilege escalation, but remote code execution is not implied by the current data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5fb1c2361e5630491d2a2f9359654eb022601bc0`	affected	< 2209fdae5c2f615930c9af1379c1cfca199ec5d8
`5fb1c2361e5630491d2a2f9359654eb022601bc0`	affected	< 0498b27a1542021d90269d58347501d4c3ccd84e
`5fb1c2361e5630491d2a2f9359654eb022601bc0`	affected	< 26506a30e0e26d612f82a7bf0e395626968a44e6
`5fb1c2361e5630491d2a2f9359654eb022601bc0`	affected	< e78c39f720679fcf3a2eacd82725ec3ea2648301
`5fb1c2361e5630491d2a2f9359654eb022601bc0`	affected	< 34c519feef3e4fcff1078dc8bdb25fbbbd10303f

Linux

affected

Version	Status	Constraints
`6.2`	affected	—
`0`	unaffected	< 6.2
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5fb1c2361e5630491d2a2f9359654eb022601bc0,2209fdae5c2f615930c9af1379c1cfca199ec5d8)`	affected	code_commit	—
`[5fb1c2361e5630491d2a2f9359654eb022601bc0,0498b27a1542021d90269d58347501d4c3ccd84e)`	affected	code_commit	—
`[5fb1c2361e5630491d2a2f9359654eb022601bc0,26506a30e0e26d612f82a7bf0e395626968a44e6)`	affected	code_commit	—
`[5fb1c2361e5630491d2a2f9359654eb022601bc0,e78c39f720679fcf3a2eacd82725ec3ea2648301)`	affected	code_commit	—
`[5fb1c2361e5630491d2a2f9359654eb022601bc0,34c519feef3e4fcff1078dc8bdb25fbbbd10303f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.2`	affected	semver	—
`[0,6.2)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a revision that includes the commit adding cancel_work_sync() before releasing ctx in mtk_jpeg_release()
If an update is not possible, unload or blacklist the mtk_jpeg kernel module to prevent the driver from loading
If the module must remain available, ensure that applications do not close the JPEG device while a run operation is outstanding; otherwise modify the driver or add a wrapper that invokes cancel_work_sync() before device close

Generated by OpenCVE AI on May 30, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00125.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0498b27a1542021d90269d58347501d4c3ccd84e
https://git.kernel.org/stable/c/2209fdae5c2f615930c9af1379c1cfca199ec5d8
https://git.kernel.org/stable/c/26506a30e0e26d612f82a7bf0e395626968a44e6
https://git.kernel.org/stable/c/34c519feef3e4fcff1078dc8bdb25fbbbd10303f
https://git.kernel.org/stable/c/e78c39f720679fcf3a2eacd82725ec3ea2648301
https://lore.kernel.org/linux-cve-announce/2026052744-CVE-2026-46011-ca0f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46011
https://www.cve.org/CVERecord?id=CVE-2026-46011

History

Tue, 16 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Sat, 30 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026052744-CVE-2026-46011-ca0f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46011 https://www.cve.org/CVERecord?id=CVE-2026-46011

Wed, 27 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.
Title		media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0498b27a1542021d90269d58347501d4c3ccd84e https://git.kernel.org/stable/c/2209fdae5c2f615930c9af1379c1cfca199ec5d8 https://git.kernel.org/stable/c/26506a30e0e26d612f82a7bf0e395626968a44e6 https://git.kernel.org/stable/c/34c519feef3e4fcff1078dc8bdb25fbbbd10303f https://git.kernel.org/stable/c/e78c39f720679fcf3a2eacd82725ec3ea2648301

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:13.198Z

Updated: 2026-06-14T17:47:51.841Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46011

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:19.250

Modified: 2026-06-16T15:25:13.650

Link: CVE-2026-46011

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46011 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T15:30:26Z

Weaknesses

CWE-416
Use After Free
CWE-825
Expired Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object