HIGH
media em28xx V4L2Open Race
CVE-2026-31583
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL. Fix this by moving the mutex_lock() before the dev->v4l2 read and adding a NULL check for dev->v4l2 under the lock.
02KernelScan AI Analysis
Risk summary
This race condition can cause kernel crashes through use-after-free or NULL pointer dereference when multiple processes access V4L2 video devices simultaneously during device initialization or removal. An attacker with local access could potentially trigger kernel panics by rapidly opening/closing video device files, leading to denial of service.
Vulnerability analysis
Root Cause: The em28xx_v4l2_open() function reads dev->v4l2 without holding the dev->lock mutex, creating a race condition with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini() which both free the em28xx_v4l2 struct and set dev->v4l2 to NULL under the same lock. This allows concurrent access to the v4l2 structure during deallocation.
Attack Surface: Local attack surface requiring physical access to USB devices. The vulnerability is triggered through V4L2 device file operations (/dev/video*) when multiple threads concurrently open/close the device during initialization or cleanup phases.
Fix Mechanism: The patch moves the mutex_lock() call before the dev->v4l2 read operation and adds a NULL check for dev->v4l2 under the lock protection. This ensures that the v4l2 structure cannot be freed while it's being accessed, eliminating the race condition.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 3c0283a59e36 |
| 5.15 | 5.15.209 | 2cbf81f76842 |
| 6.1 | 6.1.175 | 38a327221f7f |
| 6.12 | 6.12.83 | 5fb294032772 |
| 6.18 | 6.18.24 | 871b8ea8ef39 |
| 6.19 | 6.19.14 | 6b9e66437cc6 |
| 6.6 | 6.6.136 | b5d141ea15f1 |
| 7.0 | 7.0.1 | dd2b888e08d3 |
| mainline | 7.1-rc1 | a66485a934c7 |