Description
In the Linux kernel, the following vulnerability has been resolved:

media: amphion: Fix race between m2m job_abort and device_run

Fix kernel panic caused by race condition where v4l2_m2m_ctx_release()
frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run
with the same context.

Race sequence:
v4l2_m2m_try_run(): v4l2_m2m_ctx_release():
lock/unlock v4l2_m2m_cancel_job()
job_abort()
v4l2_m2m_job_finish()
kfree(m2m_ctx) <- frees ctx
device_run() <- use-after-free crash at 0x538

Crash trace:
Unable to handle kernel read from unreadable memory at virtual address
0000000000000538
v4l2_m2m_try_run+0x78/0x138
v4l2_m2m_device_run_work+0x14/0x20

The amphion vpu driver does not rely on the m2m framework's device_run
callback to perform encode/decode operations.

Fix the race by preventing m2m framework job scheduling entirely:
- Add job_ready callback returning 0 (no jobs ready for m2m framework)
- Remove job_abort callback to avoid the race condition
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a race condition between the Media‑2‑Media context release and the start of a job in the amphion driver, which can lead to a use‑after‑free and immediate kernel panic. The failure occurs when the framework frees a context while a job is about to call device_run, exposing an unreadable address and causing a denial of service. This falls under the CWE‑362 (Race Condition) and CWE‑364 (Use After Free) weaknesses.

Affected Systems

The flaw resides in the Linux kernel’s amphion media driver. All kernel builds that contain the amphion driver prior to the patch are affected; the specific kernel versions are not enumerated in the advisory, so any kernel version without the reported fix is potentially impacted.

Risk and Exploitability

EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack requires a local user with the ability to submit media jobs through the v4l2 interface; no network interaction or elevated privileges are described. Still, the race can be triggered by a crafted sequence of calls, so the risk is considered high for systems that allow media job submission.

Generated by OpenCVE AI on June 18, 2026 at 07:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel that contains the amphion driver patch, which disables job scheduling by returning 0 from the job_ready callback and removing the job_abort callback.
  • If immediate upgrade is not possible, unload or disable the amphion VPU driver to stop use of the vulnerable media framework.
  • If the driver must remain active, restrict the media job APIs to trusted users and monitor the system for kernel panic events, applying the patch as soon as available.

Generated by OpenCVE AI on June 18, 2026 at 07:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
Ubuntu USN Ubuntu USN USN-8488-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8489-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8488-2 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8507-1 Linux kernel (NVIDIA) vulnerabilities
History

Tue, 16 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Mon, 01 Jun 2026 17:00:00 +0000


Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 28 May 2026 00:15:00 +0000


Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: amphion: Fix race between m2m job_abort and device_run Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context. Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538 Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20 The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations. Fix the race by preventing m2m framework job scheduling entirely: - Add job_ready callback returning 0 (no jobs ready for m2m framework) - Remove job_abort callback to avoid the race condition
Title media: amphion: Fix race between m2m job_abort and device_run
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:51:15.138Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46058

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:25.537

Modified: 2026-06-17T10:52:59.783

Link: CVE-2026-46058

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46058 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:45:03Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-364

    Signal Handler Race Condition