HIGH Published 2026-05-27

media/amphion M2MContext UAF

CVE-2026-46058

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI5.7MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: media: amphion: Fix race between m2m job_abort and device_run Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context. Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538 Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20 The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations. Fix the race by preventing m2m framework job scheduling entirely: - Add job_ready callback returning 0 (no jobs ready for m2m framework) - Remove job_abort callback to avoid the race condition

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A race condition in the Amphion VPU media driver can cause a kernel panic when the V4L2 memory-to-memory context is freed while still being accessed by the framework's job scheduler. This affects systems using Amphion VPU hardware for video encoding/decoding operations, potentially causing system crashes during media processing workloads. As a heap use-after-free, the vulnerability also carries potential for information disclosure and memory corruption.

Affecteddrivers/media/platform/amphion/vpu_v4l2.c (media subsystem)

Vulnerability analysis

The vulnerability is a use-after-free race condition in the V4L2 memory-to-memory framework integration of the Amphion VPU driver. The root cause is that v4l2_m2m_ctx_release() can free the m2m_ctx structure via kfree() while v4l2_m2m_try_run() is concurrently about to call device_run() with the same context pointer. The race window exists between the spin_unlock and the device_run invocation in try_run, during which the context release path can complete and free the memory. Because the dangling pointer is dereferenced to read function pointer and private data, the bug class enables not only denial of service (kernel panic) but also potential information leak and memory corruption. The fix prevents the race entirely by adding a job_ready callback returning 0 (indicating no jobs are ready for the m2m framework) and removing the job_abort callback, effectively disabling the m2m framework's job scheduling mechanism since the amphion driver handles operations independently.

03Fix Versions

Branch	Fixed in	Patch commit
6.1	6.1.175	`516467052fdf`
6.12	6.12.86	`da4f46c5cf1d`
6.18	6.18.27	`fdc150dac1ad`
6.6	6.6.140	`42dc622776f3`
7.0	7.0.4	`6be2cb75bc13`
mainline	7.1-rc1	`8cd35ceadcfc`