HIGH 7.8

CVE-2026-46210: Linux Kernel iris Driver Use-After-Free Privilege Escalation

A use-after-free vulnerability exists in the Linux kernel's iris media driver that can be triggered when multiple instances operate concurrently. The flaw arises from a timing gap: while one thread checks video format parameters (width and height) during a macro block validation, another thread may simultaneously free those same format structures. This leaves the checker reading memory that has already been released, potentially crashing the kernel or allowing privilege escalation. The vulnerability requires local access and is triggered through normal kernel operations when multiple media encoding or decoding sessions run in parallel.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: media: iris: fix use-after-free of fmt_src during MBPF check During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct. The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46210 is a use-after-free in the Linux kernel iris driver (CWE-416) arising from inadequate synchronization between instance teardown and global state validation. Specifically, the Macro Blocks Per Frame (MBPF) checker iterates over the core->instances list under core->lock protection, accessing fields like fmt_src->width and fmt_src->height. However, iris_close() frees fmt_src and fmt_dst under the instance-level inst->lock before removing the instance from the core list. This creates a race condition where the MBPF checker can dereference freed format structures. The root cause is a lock scope mismatch: inst->lock protects only single-instance internals, while core->lock protects the shared instance list, but the freeing of fmt_src/fmt_dst occurs in the wrong order relative to list removal. The fix requires deferring format structure deallocation until after core list removal and all core-lock-protected teardown completes.

Business impact

This vulnerability allows a local, unprivileged user to crash the kernel or potentially execute code with kernel privileges through malicious parallel media operations. Organizations running the affected kernel versions on systems that permit local user access face heightened risk of denial of service and potential privilege escalation. Media server applications, containerized environments, and multi-tenant systems are particularly exposed. The impact scope is limited to local threat actors but severity is significant given the kernel-level execution context and the ability to trigger the race condition through standard media encoding/decoding APIs.

Affected systems

The Linux kernel is affected. The vulnerability exists in the iris media driver component and is present in kernel versions prior to the fix merge. Systems with CONFIG_VIDEO_IRIS enabled or with the iris driver compiled are impacted. This includes edge cases like embedded Linux systems running media transcoding, containerized environments with media processing workloads, and any kernel with the iris driver loaded.

Exploitability

Exploitability is moderate but reliable under the right conditions. An attacker requires local system access and must trigger multiple concurrent media encoding or decoding sessions to reliably hit the race condition window. The vulnerability does not require elevated privileges to initiate, though triggering the crash reliably may benefit from timing or workload tuning. The kernel-level impact (denial of service, potential code execution) is severe, but the local-only attack surface and timing sensitivity limit overall exploitation likelihood in typical deployments.

Remediation

Apply the upstream Linux kernel patch that reorders the teardown sequence to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core->instances list and all core-lock-protected operations have completed. Verify the patch against the relevant Linux kernel mailing list or stable kernel release notes. Organizations should prioritize kernel updates for systems with local user access or untrusted media processing workloads.

Patch guidance

Monitor the Linux kernel stable release branches (longterm and mainstream) for availability of patches addressing this CVE. Check your kernel version via `uname -r` and cross-reference against the vendor advisory and kernel.org to identify the minimum patched version for your branch. The fix involves reordering instance teardown in iris_close() to ensure core list removal occurs before format structure deallocation. Test kernel updates in a non-production environment before deployment, especially if your workload involves concurrent media operations.

Detection guidance

Monitor system logs for iris driver-related kernel oops, segmentation faults, or use-after-free messages, particularly in environments running parallel media encoding or decoding workloads. Runtime detection is challenging without custom kernel instrumentation; focus on monitoring for unusual kernel crashes correlated with media processing. Memory sanitizers or kernel address sanitizers (KASAN) will reliably catch this flaw in test environments. Restrict local user access on systems where media processing occurs if kernel patching is delayed.

Why prioritize this

CVE-2026-46210 merits high-priority patching due to its CVSS 7.8 (HIGH) score, kernel-level impact, and the inherent difficulty users face in avoiding concurrent media operations in multi-tenant or busy media server environments. Although the attack surface is local-only, the reliability of triggering the race condition through normal workload patterns makes it a realistic threat in affected deployments.

Risk score, explained

The CVSS v3.1 score of 7.8 reflects the high severity of kernel-level code execution or denial of service impact (Confidentiality: High, Integrity: High, Availability: High), moderated by the requirement for local access (AV:L) and low privilege (PR:L). The accessibility (AC:L, UI:N) indicates the vulnerability is straightforward to trigger through standard media operations once local access is obtained, justifying the HIGH severity classification.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-46210 requires local system access to trigger. An attacker must be able to execute code or invoke system calls on the target machine, typically as a local user. Remote exploitation is not possible.

Will updating my kernel fix this issue?

Yes, applying a kernel update that includes the upstream patch resolving the use-after-free and reordering the teardown sequence will fix the vulnerability. Consult your Linux distributor's advisory or kernel.org for the specific patched version for your kernel branch.

What workloads trigger this vulnerability?

Workloads that spawn multiple concurrent media encoding or decoding sessions are most likely to trigger the race condition. Examples include multi-instance media servers, parallel video transcoding, and concurrent camera streaming in containerized environments.

Is privilege escalation confirmed in the wild?

The vulnerability permits kernel-level code execution with successful exploitation, which constitutes privilege escalation from an unprivileged local user to kernel context. However, CVE-2026-46210 is not listed on the CISA KEV catalog, indicating no confirmed active exploitation in the wild at this time.

This analysis is provided for informational purposes based on the CVE description and available technical details as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of this information. Readers are advised to consult official Linux kernel advisories, their distribution vendor's security notices, and conduct their own testing before deploying patches in production environments. CVSS scores and vulnerability details are sourced from official CVE records and subject to update. No exploit code or detailed attack techniques are provided; readers should not attempt to develop or use weaponized code targeting this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).