Description
In the Linux kernel, the following vulnerability has been resolved:

media: mtk-jpeg: fix use-after-free in release path due to uncancelled work

The mtk_jpeg_release() function frees the context structure (ctx) without
first cancelling any pending or running work in ctx->jpeg_work. This
creates a race window where the workqueue callback may still be accessing
the context memory after it has been freed.

Race condition:

CPU 0 (release) CPU 1 (workqueue)
---------------- ------------------
close()
mtk_jpeg_release()
mtk_jpegenc_worker()
ctx = work->data
// accessing ctx

kfree(ctx) // freed!
access ctx // UAF!

The work is queued via queue_work() during JPEG encode/decode operations
(via mtk_jpeg_device_run). If the device is closed while work is pending
or running, the work handler will access freed memory.

Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This
ordering is critical: if cancel_work_sync() is called after mutex_lock(),
and the work handler also tries to acquire the same mutex, it would cause
a deadlock.

Note: The open error path does NOT need cancel_work_sync() because
INIT_WORK() only initializes the work structure - it does not schedule
it. Work is only scheduled later during ioctl operations.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the MediaTek JPEG driver allows a use‑after‑free on the kernel context structure when the device driver is closed while work is queued. The work queue handler may still run and reference memory that has been freed, enabling an attacker to trigger arbitrary code execution or kernel memory corruption. The vulnerability is a classic use‑after‑free scenario (CWE‑416) that compromises kernel integrity and can lead to full system compromise.

Affected Systems

The flaw exists in the Linux kernel’s MediaTek JPEG driver. No specific kernel versions are listed; the issue is present wherever the driver is deployed, typically in boards that include MediaTek integrated media hardware and run a kernel with the mtk_jpeg driver loaded.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, making the quantitative risk assessment uncertain. The flaw is not listed in the CISA KEV catalog. Exploitation requires a local attacker who has the ability to trigger JPEG encode/decode operations and close the device while work is pending, indicating a local, privileged‑context attack vector rather than a network‑based one. However, because the defect occurs in kernel land, any successful exploitation would provide high‑impact control over the system.

Generated by OpenCVE AI on May 27, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel release that includes the cancel_work_sync() patch to the mtk_jpeg_release() path.
  • If a kernel upgrade cannot be performed immediately, blacklist or unload the mtk-jpeg module so the driver is no longer loaded into the system.
  • If the module must remain available, avoid closing the device while JPEG work is queued or running and ensure that user‑space applications do not trigger encode/decode operations when the device may concurrently be shut down.

Generated by OpenCVE AI on May 27, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.
Title media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:13.198Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46011

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:19.250

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses