{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31584", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.120Z", "datePublished": "2026-04-24T14:42:13.586Z", "dateUpdated": "2026-05-11T22:11:37.054Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:37.054Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix use-after-free in encoder release path\n\nThe fops_vcodec_release() function frees the context structure (ctx)\nwithout first cancelling any pending or running work in ctx->encode_work.\nThis creates a race window where the workqueue handler (mtk_venc_worker)\nmay still be accessing the context memory after it has been freed.\n\nRace condition:\n\n CPU 0 (release path) CPU 1 (workqueue)\n --------------------- ------------------\n fops_vcodec_release()\n v4l2_m2m_ctx_release()\n v4l2_m2m_cancel_job()\n // waits for m2m job \"done\"\n mtk_venc_worker()\n v4l2_m2m_job_finish()\n // m2m job \"done\"\n // BUT worker still running!\n // post-job_finish access:\n other ctx dereferences\n // UAF if ctx already freed\n // returns (job \"done\")\n kfree(ctx) // ctx freed\n\nRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m job\nlifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.\nAfter v4l2_m2m_job_finish() is called, the m2m framework considers\nthe job complete and v4l2_m2m_ctx_release() returns, but the worker\nfunction continues executing and may still access ctx.\n\nThe work is queued during encode operations via:\n queue_work(ctx->dev->encode_workqueue, &ctx->encode_work)\nThe worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx\nfields even after calling v4l2_m2m_job_finish().\n\nThis vulnerability was confirmed with KASAN by running an instrumented\ntest module that widens the post-job_finish race window. KASAN detected:\n\n BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180\n Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12\n\n Workqueue: mtk_vcodec_enc_wq mtk_venc_worker\n\n Allocated by task 47:\n __kasan_kmalloc+0x7f/0x90\n fops_vcodec_open+0x85/0x1a0\n\n Freed by task 47:\n __kasan_slab_free+0x43/0x70\n kfree+0xee/0x3a0\n fops_vcodec_release+0xb7/0x190\n\nFix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).\nThis ensures the workqueue handler is both cancelled (if pending) and\nsynchronized (waits for any running handler to complete) before the\ncontext is freed.\n\nPlacement rationale: The fix is placed after v4l2_ctrl_handler_free()\nand before list_del_init(&ctx->list). At this point, all m2m operations\nare done (v4l2_m2m_ctx_release() has returned), and we need to ensure\nthe workqueue is synchronized before removing ctx from the list and\nfreeing it.\n\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during device_run() operations."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c"], "versions": [{"version": "0934d37596151edce115c6d0843a9ad7d5e5d232", "lessThan": "9a9bdaf9dc42ccca50e53f82165292f74a365c11", "status": "affected", "versionType": "git"}, {"version": "0934d37596151edce115c6d0843a9ad7d5e5d232", "lessThan": "a8a55913552aed45108525d1851c65e1db0cc25b", "status": "affected", "versionType": "git"}, {"version": "0934d37596151edce115c6d0843a9ad7d5e5d232", "lessThan": "f99353cd0e9f58bf17889049137b8d65fb44ebf1", "status": "affected", "versionType": "git"}, {"version": "0934d37596151edce115c6d0843a9ad7d5e5d232", "lessThan": "93d9a58961a9e09306857e999b3ee76aa4be67f0", "status": "affected", "versionType": "git"}, {"version": "0934d37596151edce115c6d0843a9ad7d5e5d232", "lessThan": "f1692337c6fa26e04f89b22a4d84bf5b7ada50d1", "status": "affected", "versionType": "git"}, {"version": "0934d37596151edce115c6d0843a9ad7d5e5d232", "lessThan": "76e35091ffc722ba39b303e48bc5d08abb59dd56", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9a9bdaf9dc42ccca50e53f82165292f74a365c11"}, {"url": "https://git.kernel.org/stable/c/a8a55913552aed45108525d1851c65e1db0cc25b"}, {"url": "https://git.kernel.org/stable/c/f99353cd0e9f58bf17889049137b8d65fb44ebf1"}, {"url": "https://git.kernel.org/stable/c/93d9a58961a9e09306857e999b3ee76aa4be67f0"}, {"url": "https://git.kernel.org/stable/c/f1692337c6fa26e04f89b22a4d84bf5b7ada50d1"}, {"url": "https://git.kernel.org/stable/c/76e35091ffc722ba39b303e48bc5d08abb59dd56"}], "title": "media: mediatek: vcodec: fix use-after-free in encoder release path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "14109CEF-714B-4029-A318-97AA58A01833", "versionEndExcluding": "6.6.136", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8BAD957-8E20-401C-A129-DFF3655CA0B7", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix use-after-free in encoder release path\n\nThe fops_vcodec_release() function frees the context structure (ctx)\nwithout first cancelling any pending or running work in ctx->encode_work.\nThis creates a race window where the workqueue handler (mtk_venc_worker)\nmay still be accessing the context memory after it has been freed.\n\nRace condition:\n\n CPU 0 (release path) CPU 1 (workqueue)\n --------------------- ------------------\n fops_vcodec_release()\n v4l2_m2m_ctx_release()\n v4l2_m2m_cancel_job()\n // waits for m2m job \"done\"\n mtk_venc_worker()\n v4l2_m2m_job_finish()\n // m2m job \"done\"\n // BUT worker still running!\n // post-job_finish access:\n other ctx dereferences\n // UAF if ctx already freed\n // returns (job \"done\")\n kfree(ctx) // ctx freed\n\nRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m job\nlifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.\nAfter v4l2_m2m_job_finish() is called, the m2m framework considers\nthe job complete and v4l2_m2m_ctx_release() returns, but the worker\nfunction continues executing and may still access ctx.\n\nThe work is queued during encode operations via:\n queue_work(ctx->dev->encode_workqueue, &ctx->encode_work)\nThe worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx\nfields even after calling v4l2_m2m_job_finish().\n\nThis vulnerability was confirmed with KASAN by running an instrumented\ntest module that widens the post-job_finish race window. KASAN detected:\n\n BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180\n Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12\n\n Workqueue: mtk_vcodec_enc_wq mtk_venc_worker\n\n Allocated by task 47:\n __kasan_kmalloc+0x7f/0x90\n fops_vcodec_open+0x85/0x1a0\n\n Freed by task 47:\n __kasan_slab_free+0x43/0x70\n kfree+0xee/0x3a0\n fops_vcodec_release+0xb7/0x190\n\nFix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).\nThis ensures the workqueue handler is both cancelled (if pending) and\nsynchronized (waits for any running handler to complete) before the\ncontext is freed.\n\nPlacement rationale: The fix is placed after v4l2_ctrl_handler_free()\nand before list_del_init(&ctx->list). At this point, all m2m operations\nare done (v4l2_m2m_ctx_release() has returned), and we need to ensure\nthe workqueue is synchronized before removing ctx from the list and\nfreeing it.\n\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during device_run() operations."}], "id": "CVE-2026-31584", "lastModified": "2026-04-27T20:20:32.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:33.117", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/76e35091ffc722ba39b303e48bc5d08abb59dd56"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/93d9a58961a9e09306857e999b3ee76aa4be67f0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9a9bdaf9dc42ccca50e53f82165292f74a365c11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a8a55913552aed45108525d1851c65e1db0cc25b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f1692337c6fa26e04f89b22a4d84bf5b7ada50d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f99353cd0e9f58bf17889049137b8d65fb44ebf1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: media: mediatek: vcodec: fix use-after-free in encoder release path", "id": "2461436", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461436"}, "csaw": false, "cwe": "CWE-825", "details": ["A flaw was found in the MediaTek vcodec driver within the Linux kernel. This use-after-free vulnerability occurs when the driver frees a context structure before ensuring that all pending or running workqueue operations have completed. A local attacker could exploit this race condition, potentially leading to a system crash (Denial of Service) or other unpredictable system behavior due to memory corruption."], "name": "CVE-2026-31584", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31584\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31584\nhttps://lore.kernel.org/linux-cve-announce/2026042412-CVE-2026-31584-d806@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0934d37596151edce115c6d0843a9ad7d5e5d232,9a9bdaf9dc42ccca50e53f82165292f74a365c11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0934d37596151edce115c6d0843a9ad7d5e5d232,a8a55913552aed45108525d1851c65e1db0cc25b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0934d37596151edce115c6d0843a9ad7d5e5d232,f99353cd0e9f58bf17889049137b8d65fb44ebf1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0934d37596151edce115c6d0843a9ad7d5e5d232,93d9a58961a9e09306857e999b3ee76aa4be67f0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0934d37596151edce115c6d0843a9ad7d5e5d232,f1692337c6fa26e04f89b22a4d84bf5b7ada50d1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0934d37596151edce115c6d0843a9ad7d5e5d232,76e35091ffc722ba39b303e48bc5d08abb59dd56)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:15:47.421225+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that includes the fix, ensuring the driver contains the cancel_work_sync logic; the patch is referenced in the advisory commits.", "Temporarily unload or disable the Mediatek vcodec driver, or modify udev rules to prevent access to the encoder device until the kernel can be updated.", "After applying the fix, monitor dmesg and system logs for any KASAN or use\u2011after\u2011free related messages to confirm the vulnerability is mitigated."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011after\u2011free leading to kernel memory corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the MediaTek Vcodec driver and have not applied the recent patch. The flaw resides in drivers/media/v4l2-core/mtk_vcodec related code and affects systems using the Mediatek video encoder driver across current kernel versions.", "description_and_impact": "A use\u2011after\u2011free flaw in the MediaTek Vcodec driver\u2019s release path allows the kernel workqueue handler to access freed context memory. The defect arises when the release routine frees the context structure without canceling or synchronizing any pending work, creating a data\u2011race condition. If exploited, this can corrupt kernel memory, potentially leading to privilege escalation, arbitrary code execution, or service disruption. The vulnerability is categorized under CWE\u2011416 (Use After Free) and CWE\u2011825 (Race Condition).", "risk_and_exploitability": "The flaw carries a CVSS score of 7.8, indicating high impact. EPSS indicates a very low, but non\u2011zero, likelihood of exploitation (<1\u202f%). The vulnerability is not listed in CISA\u2019s KEV catalogue. Exploitation would likely require local or privileged access to orchestrate concurrent open and release operations on the device to trigger the race window. The attack surface is thus limited, but the severity remains significant if the conditions are met."}}}}, "created": "2026-04-27T19:00:15.681689+00:00", "updated": "2026-04-28T20:30:06.167965+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}