HIGH Published 2026-04-22

media Request REINIT Race

CVE-2026-31473

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A race condition in the Linux media subsystem allows concurrent execution of request reinitialization and buffer queue teardown operations. This can lead to use-after-free vulnerabilities when request objects are freed while still being accessed during queue cancellation. Local attackers with access to media devices could potentially exploit this to cause system crashes or achieve code execution.

Affecteddrivers/media/mc/mc-request.c, drivers/media/v4l2-core/v4l2-ioctl.c

Vulnerability analysis

Root Cause: MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) can execute concurrently without proper synchronization. The REINIT ioctl can race with queue teardown operations, causing request object cleanup to run in parallel with vb2 queue cancellation. This creates a use-after-free condition where freed request objects may still be accessed.

Attack Surface: Local attack surface requiring access to media device files (/dev/media*) and video device files (/dev/video*). Attackers need the ability to issue concurrent ioctl calls to trigger the race condition. This affects systems with V4L2 media devices that support request-based operations.

Fix Mechanism: The patch extends the existing req_queue_mutex serialization to cover both REQBUFS operations and REINIT operations. It adds mutex_lock/unlock calls around the media_request_ioctl_reinit() function and includes VIDIOC_REQBUFS in the list of ioctls that require req_queue_mutex protection. This ensures request cleanup and queue cancellation cannot run concurrently.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`331242998a7a`
5.15	5.15.203	`2c685e99efb3`
6.1	6.1.168	`585fd9a2063d`
6.12	6.12.80	`d8549a453d5b`
6.18	6.18.21	`72b9e81e0203`
6.19	6.19.11	`cf2023e84f08`
6.6	6.6.131	`1a0d9083c24f`
mainline	7.0	`bef4f4a88b73`