Description
In the Linux kernel, the following vulnerability has been resolved:

media: iris: fix use-after-free of fmt_src during MBPF check

During concurrency testing, multiple instances can run in parallel, and
each instance uses its own inst->lock while the core->lock protects the
list of active instances. The race happens because these locks cover
different scopes, inst->lock protects only the internals of a single
instance, while the Macro Blocks Per Frame (MBPF) checker walks the
core list under core->lock and reads fields like fmt_src->width and
fmt_src->height. At the same time, iris_close() may free fmt_src and
fmt_dst under inst->lock while the instance is still present in the core
list. This allows a situation where the MBPF checker, still iterating
through the core list, reaches an instance whose fmt_src was already
freed by another thread and ends up dereferencing a dangling pointer,
resulting in a use-after-free. This happens because the MBPF checker
assumes that any instance in the core list is fully valid, but the
freeing of fmt_src and fmt_dst without removing the instance from the
core list is not correct.

The correct ordering is to defer freeing fmt_src and fmt_dst until after
the instance has been removed from the core list and all teardown under
the core lock has completed, ensuring that no dangling pointers are ever
exposed during MBPF checks.
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The iris media driver in the Linux kernel contains a race condition that allows a use‑after‑free when the MBPF checker traverses the core instance list concurrently with an iris close operation that frees fmt_src and fmt_dst. If the checker dereferences a freed pointer, the kernel can crash or an attacker could execute arbitrary code with kernel privileges.

Affected Systems

All Linux kernels that include the iris media driver before the patch commits 3d9593ad1a58c5acc3e5fa2a48222bb7632e6812 or 494ffd1712a588e590e6b1e9f876a8c8b24a9180 are potentially affected. Affected systems are those that load the iris module without the patch, regardless of kernel version because no explicit version numbers were listed.

Risk and Exploitability

Kernel use‑after‑free vulnerabilities are rated high severity; the CVSS score for this flaw is 7.8. The EPSS score is <1%, indicating a very low exploitation probability, and the flaw is not listed in CISA KEV, suggesting no widespread exploitation reports yet. However, the race condition is feasible during normal driver activity. Exploitation would require an attacker to trigger concurrent iris operations that lead to a dangling pointer dereference; no additional privileges are needed beyond those required to control the iris driver, making this a local privilege escalation vector for affected systems.

Generated by OpenCVE AI on June 10, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the patch commit 3d9593ad1a58c5acc3e5fa2a48222bb7632e6812 or 494ffd1712a588e590e6b1e9f876a8c8b24a9180
  • If an upgrade cannot be applied immediately, unload or disable the iris media driver to eliminate the race window and prevent the flaw from being triggered
  • After applying the patch or disabling the driver, monitor system logs for kernel panics or MBPF errors to ensure the issue has been fully addressed

Generated by OpenCVE AI on June 10, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: iris: fix use-after-free of fmt_src during MBPF check During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct. The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.
Title media: iris: fix use-after-free of fmt_src during MBPF check
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:02:58.474Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46210

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:36.673

Modified: 2026-06-10T19:17:40.367

Link: CVE-2026-46210

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46210 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses