CVE-2026-46240

HIGH

media: iris: Fix use-after-free in iris_release_internal_buffers()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0012
EPSS Percentile 2.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (14)
Linux/Linux < 7.0
Linux/Linux 1dabf00ee206eceb0f08a1fe5d1ce635f9064338 - 18c64439f249859b6140f7bf8bcf95c8ed841f28
Linux/Linux 1dabf00ee206eceb0f08a1fe5d1ce635f9064338 - f27cfdcfc916bb59297825805f4c3499f89f9e76
Linux/Linux 6.18.16 - 6.18.32
Linux/Linux 6.18.32 - 6.18.*
Linux/Linux 6.19.6 - 6.20
Linux/Linux 7.0
Linux/Linux 7.0.9 - 7.0.*
Linux/Linux 7.1
Linux/Linux 7.1-rc3
... and 4 more
Published May 28, 2026
Tracked Since May 28, 2026