In the Linux kernel, the following vulnerability has been resolved:
media: iris: Fix use-after-free in irisreleaseinternal_buffers()
The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy
internal buffers after FW releases") introduced a regression where
sessionreleasebuf() may free the buffer. The caller,
irisreleaseinternal_buffers(), continued to access buffer after the
call, leading to a potential use-after-free.
Fix this by setting BUFATTRPENDINGRELEASE before calling sessionrelease_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46240.json",
"cna_assigner": "Linux"
}