{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31583", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.120Z", "datePublished": "2026-04-24T14:42:12.923Z", "dateUpdated": "2026-05-11T22:11:35.902Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:35.902Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: em28xx: fix use-after-free in em28xx_v4l2_open()\n\nem28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,\ncreating a race with em28xx_v4l2_init()'s error path and\nem28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct\nand set dev->v4l2 to NULL under dev->lock.\n\nThis race leads to two issues:\n - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,\n since the video_device is embedded in the freed em28xx_v4l2 struct.\n - NULL pointer dereference in em28xx_resolution_set() when accessing\n v4l2->norm, since dev->v4l2 has been set to NULL.\n\nFix this by moving the mutex_lock() before the dev->v4l2 read and\nadding a NULL check for dev->v4l2 under the lock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/usb/em28xx/em28xx-video.c"], "versions": [{"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e", "lessThan": "b5d141ea15f173f15b9f0a72965902f3428c0d92", "status": "affected", "versionType": "git"}, {"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e", "lessThan": "5fb2940327722b4684d2f964b54c1c90aa277324", "status": "affected", "versionType": "git"}, {"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e", "lessThan": "871b8ea8ef39a6c253594649f4339378fad3d0dd", "status": "affected", "versionType": "git"}, {"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e", "lessThan": "6b9e66437cc6123ddedac141e1b8b6fcf57d2972", "status": "affected", "versionType": "git"}, {"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e", "lessThan": "dd2b888e08d3b3d6aacd65d76cd44fac11da750f", "status": "affected", "versionType": "git"}, {"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e", "lessThan": "a66485a934c7187ae8e36517d40615fa2e961cff", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/usb/em28xx/em28xx-video.c"], "versions": [{"version": "3.16", "status": "affected"}, {"version": "0", "lessThan": "3.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b5d141ea15f173f15b9f0a72965902f3428c0d92"}, {"url": "https://git.kernel.org/stable/c/5fb2940327722b4684d2f964b54c1c90aa277324"}, {"url": "https://git.kernel.org/stable/c/871b8ea8ef39a6c253594649f4339378fad3d0dd"}, {"url": "https://git.kernel.org/stable/c/6b9e66437cc6123ddedac141e1b8b6fcf57d2972"}, {"url": "https://git.kernel.org/stable/c/dd2b888e08d3b3d6aacd65d76cd44fac11da750f"}, {"url": "https://git.kernel.org/stable/c/a66485a934c7187ae8e36517d40615fa2e961cff"}], "title": "media: em28xx: fix use-after-free in em28xx_v4l2_open()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "14109CEF-714B-4029-A318-97AA58A01833", "versionEndExcluding": "6.6.136", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8BAD957-8E20-401C-A129-DFF3655CA0B7", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: em28xx: fix use-after-free in em28xx_v4l2_open()\n\nem28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,\ncreating a race with em28xx_v4l2_init()'s error path and\nem28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct\nand set dev->v4l2 to NULL under dev->lock.\n\nThis race leads to two issues:\n - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,\n since the video_device is embedded in the freed em28xx_v4l2 struct.\n - NULL pointer dereference in em28xx_resolution_set() when accessing\n v4l2->norm, since dev->v4l2 has been set to NULL.\n\nFix this by moving the mutex_lock() before the dev->v4l2 read and\nadding a NULL check for dev->v4l2 under the lock."}], "id": "CVE-2026-31583", "lastModified": "2026-04-27T20:26:18.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:33.017", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5fb2940327722b4684d2f964b54c1c90aa277324"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6b9e66437cc6123ddedac141e1b8b6fcf57d2972"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/871b8ea8ef39a6c253594649f4339378fad3d0dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a66485a934c7187ae8e36517d40615fa2e961cff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b5d141ea15f173f15b9f0a72965902f3428c0d92"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dd2b888e08d3b3d6aacd65d76cd44fac11da750f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: media: em28xx: fix use-after-free in em28xx_v4l2_open()", "id": "2461487", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461487"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in the Linux kernel's em28xx media driver. This vulnerability, a type of memory corruption, arises from a race condition where the driver attempts to use memory that has already been freed or access a null pointer. This can be triggered when the `em28xx_v4l2_open()` function is called without proper synchronization. Successful exploitation could lead to system instability or a denial of service, making the system unresponsive."], "name": "CVE-2026-31583", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31583\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31583\nhttps://lore.kernel.org/linux-cve-announce/2026042412-CVE-2026-31583-edcc@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8139a4d583abad45eb987b5a99b3281b6d435b7e,b5d141ea15f173f15b9f0a72965902f3428c0d92)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8139a4d583abad45eb987b5a99b3281b6d435b7e,5fb2940327722b4684d2f964b54c1c90aa277324)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8139a4d583abad45eb987b5a99b3281b6d435b7e,871b8ea8ef39a6c253594649f4339378fad3d0dd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8139a4d583abad45eb987b5a99b3281b6d435b7e,6b9e66437cc6123ddedac141e1b8b6fcf57d2972)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8139a4d583abad45eb987b5a99b3281b6d435b7e,dd2b888e08d3b3d6aacd65d76cd44fac11da750f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8139a4d583abad45eb987b5a99b3281b6d435b7e,a66485a934c7187ae8e36517d40615fa2e961cff)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T14:06:16.532125+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the em28xx use\u2011after\u2011free fix.", "If the em28xx driver is not required for your system, disable or remove it to eliminate the attack surface.", "After applying the update, monitor the system for any kernel crashes or abnormal device behavior."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the em28xx media driver are affected. The driver is part of the mainstream kernel source; the exact kernel version numbers are not listed in the CVE data, but any kernel that still contains the pre\u2011fix code is vulnerable. Users running recent distributions that ship with an unpatched kernel are at risk.", "description_and_impact": "A race condition in the Linux kernel media driver em28xx allows an attacker to trigger a use\u2011after\u2011free and a NULL pointer dereference. The vulnerability occurs when the kernel reads the device\u2019s v4l2 structure without holding the necessary lock, while other code paths may free the structure and null the pointer. This race (CWE\u2011367) leads to a classic use\u2011after\u2011free flaw (CWE\u2011416). An attacker could exploit this to crash the kernel, leading to a denial\u2011of\u2011service condition.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% shows that exploitation is unlikely at the moment. The vulnerability is not listed in the CISA KEV catalog, which means there are no publicly known active exploits. The likely attack vector is local or privileged access to a device managed by the em28xx driver, as the race requires manipulation of the kernel\u2019s v4l2 device interfaces. Without an active exploit, the risk is primarily a potential for kernel panic and service disruption."}}}}, "created": "2026-04-27T19:00:15.682652+00:00", "updated": "2026-04-28T14:15:34.904266+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}