Description
In the Linux kernel, the following vulnerability has been resolved:

media: amphion: Fix race between m2m job_abort and device_run

Fix kernel panic caused by race condition where v4l2_m2m_ctx_release()
frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run
with the same context.

Race sequence:
v4l2_m2m_try_run(): v4l2_m2m_ctx_release():
lock/unlock v4l2_m2m_cancel_job()
job_abort()
v4l2_m2m_job_finish()
kfree(m2m_ctx) <- frees ctx
device_run() <- use-after-free crash at 0x538

Crash trace:
Unable to handle kernel read from unreadable memory at virtual address
0000000000000538
v4l2_m2m_try_run+0x78/0x138
v4l2_m2m_device_run_work+0x14/0x20

The amphion vpu driver does not rely on the m2m framework's device_run
callback to perform encode/decode operations.

Fix the race by preventing m2m framework job scheduling entirely:
- Add job_ready callback returning 0 (no jobs ready for m2m framework)
- Remove job_abort callback to avoid the race condition
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a race condition between the Media‑2‑Media context release and the job start path in the amphion driver. The race allows the kernel to free a context that is still being used, leading to a use‑after‑free read fault and an immediate kernel panic. The primary consequence is a denial of service for the local system, as the crash requires no network interaction or additional privileges beyond the ability to trigger media jobs.

Affected Systems

The flaw exists in the Linux kernel’s amphion media driver and affects any systems that include the vulnerable m2m framework implementation. No specific kernel release numbers are supplied, so all kernels containing the amphion driver prior to the patch are potentially impacted.

Risk and Exploitability

EPSS data is unavailable and the issue is not listed in CISA KEV, but the attack requires local user access with the capability to submit a media job. The race creates a use‑after‑free that can be triggered by a crafted sequence, so the risk is considered high. The likely attack vector is a local privileged or resident user who can invoke the media API to cause the crash.

Generated by OpenCVE AI on May 28, 2026 at 04:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a revision that includes the amphion driver patch, which prevents job scheduling by returning 0 from the job_ready callback and removing the job_abort callback.
  • If an upgrade is not feasible, disable or unload the amphion VPU driver to stop using the vulnerable media framework.
  • If the driver is required for functionality, restrict access to media job APIs to trusted users and monitor for kernel panic events, applying patches as soon as available.

Generated by OpenCVE AI on May 28, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: amphion: Fix race between m2m job_abort and device_run Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context. Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538 Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20 The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations. Fix the race by preventing m2m framework job scheduling entirely: - Add job_ready callback returning 0 (no jobs ready for m2m framework) - Remove job_abort callback to avoid the race condition
Title media: amphion: Fix race between m2m job_abort and device_run
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:17.853Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46058

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:25.537

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46058

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46058 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:30:06Z

Weaknesses