HIGH
media Iris UAF
CVE-2026-46240
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the Qualcomm Iris media driver allows local attackers with media device access to corrupt kernel memory. This can lead to privilege escalation, information disclosure, or system crashes on devices with Qualcomm SoCs.
Vulnerability analysis
The vulnerability occurs in iris_release_internal_buffers() where session_release_buf() may free a buffer, but the caller continues to access the buffer pointer to set flags. The regression was introduced when changing the order of buffer destruction operations. The fix reorders operations to set the BUF_ATTR_PENDING_RELEASE flag before the potentially freeing call, preventing access to freed memory. Attack surface is local-only, requiring access to V4L2 media devices on Qualcomm hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.32 | dd24998a4a40 |
| 6.20 | 6.20 | 18c64439f249 |
| 7.0 | 7.0.9 | f27cfdcfc916 |
| mainline | 7.1-rc3 | — |