CVE-2026-46011

HIGH EPSS 2.6%
Published May 27, 20261mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥6.2  –  <6.6.140
linuxlinux_kernel*≥6.7  –  <6.12.86
linuxlinux_kernel*≥6.13  –  <6.18.27
linuxlinux_kernel*≥6.19  –  <7.0.4

References 5

  • git.kernel.org https://git.kernel.org/stable/c/0498b27a1542021d90269d58347501d4c3ccd84e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2209fdae5c2f615930c9af1379c1cfca199ec5d8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/26506a30e0e26d612f82a7bf0e395626968a44e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/34c519feef3e4fcff1078dc8bdb25fbbbd10303f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e78c39f720679fcf3a2eacd82725ec3ea2648301
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0498b27a1542021d90269d58347501d4c3ccd84e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2209fdae5c2f615930c9af1379c1cfca199ec5d8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/26506a30e0e26d612f82a7bf0e395626968a44e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/34c519feef3e4fcff1078dc8bdb25fbbbd10303f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e78c39f720679fcf3a2eacd82725ec3ea2648301
    Patch