CVE-2026-46210

Source
https://cve.org/CVERecord?id=CVE-2026-46210
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46210.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46210
Downstream
Related
Published
2026-05-28T09:40:27.884Z
Modified
2026-07-08T08:09:40.762408252Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
media: iris: fix use-after-free of fmt_src during MBPF check
Details

In the Linux kernel, the following vulnerability has been resolved:

media: iris: fix use-after-free of fmt_src during MBPF check

During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmtsrc->width and fmtsrc->height. At the same time, irisclose() may free fmtsrc and fmtdst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmtsrc was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmtsrc and fmtdst without removing the instance from the core list is not correct.

The correct ordering is to defer freeing fmtsrc and fmtdst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46210.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5ad964ad5656668399f00c76707f0d063b64a4b1
Fixed
494ffd1712a588e590e6b1e9f876a8c8b24a9180
Fixed
3d9593ad1a58c5acc3e5fa2a48222bb7632e6812

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46210.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.18.0
Fixed
7.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46210.json"