{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31585", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.120Z", "datePublished": "2026-04-24T14:42:14.266Z", "dateUpdated": "2026-05-11T22:11:38.154Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:38.154Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds > 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb->streaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/test-drivers/vidtv/vidtv_bridge.c"], "versions": [{"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905", "lessThan": "17cb7957c979529cc98ff57f7ac331532f1f7c83", "status": "affected", "versionType": "git"}, {"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905", "lessThan": "98c22210aeadce67d9d20059f0dbbd01ba7fdbba", "status": "affected", "versionType": "git"}, {"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905", "lessThan": "25f19e476ab15defe698504212899fdb9f7cd61b", "status": "affected", "versionType": "git"}, {"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905", "lessThan": "83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd", "status": "affected", "versionType": "git"}, {"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905", "lessThan": "4bf95f797edd63c93330eafb6d6e670982344b9b", "status": "affected", "versionType": "git"}, {"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905", "lessThan": "a0e5a598fe9a4612b852406b51153b881592aede", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/test-drivers/vidtv/vidtv_bridge.c"], "versions": [{"version": "5.10", "status": "affected"}, {"version": "0", "lessThan": "5.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83"}, {"url": "https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba"}, {"url": "https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b"}, {"url": "https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd"}, {"url": "https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b"}, {"url": "https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede"}], "title": "media: vidtv: fix nfeeds state corruption on start_streaming failure", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F98EDB3-BDF6-4821-9197-1BA4A2E056E2", "versionEndExcluding": "6.6.136", "versionStartIncluding": "5.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds > 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb->streaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239"}], "id": "CVE-2026-31585", "lastModified": "2026-04-28T20:47:22.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:33.267", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: media: vidtv: fix nfeeds state corruption on start_streaming failure", "id": "2461578", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461578"}, "csaw": false, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's vidtv media driver. When the `vidtv_start_streaming()` function fails, the internal counter for active streams (`nfeeds`) is not properly decremented. This state corruption can lead to memory leaks and prevent proper cleanup of resources, potentially causing system instability or a denial of service (DoS)."], "name": "CVE-2026-31585", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31585\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31585\nhttps://lore.kernel.org/linux-cve-announce/2026042413-CVE-2026-31585-b423@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f90cf6079bf67988f8b1ad1ade70fc89d0080905,17cb7957c979529cc98ff57f7ac331532f1f7c83)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f90cf6079bf67988f8b1ad1ade70fc89d0080905,98c22210aeadce67d9d20059f0dbbd01ba7fdbba)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f90cf6079bf67988f8b1ad1ade70fc89d0080905,25f19e476ab15defe698504212899fdb9f7cd61b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f90cf6079bf67988f8b1ad1ade70fc89d0080905,83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f90cf6079bf67988f8b1ad1ade70fc89d0080905,4bf95f797edd63c93330eafb6d6e670982344b9b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f90cf6079bf67988f8b1ad1ade70fc89d0080905,a0e5a598fe9a4612b852406b51153b881592aede)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:43:53.873300+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that includes the vidtv driver fix, which decrements nfeeds when start_streaming fails, addressing CWE\u2011911.", "If the vidtv driver is not required for your system, disable it through kernel configuration or by unloading the module to avoid the issue.", "Monitor kernel logs for repeated vidtv_start_streaming failures or memory leak indicators, and consider rebooting or applying the patch if symptoms persist."], "summary": {"action": "Apply patch", "impact": "Local resource exhaustion and driver instability"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel media subsystem, specifically the vidtv test driver. The CVE lists the generic Linux kernel CPE, and no precise kernel version range is identified. Because the vidtv driver is part of the standard kernel distribution, any Linux kernel that includes this driver without the patch is potentially impacted. There are no vendor\u2013product subtleties beyond the general Linux kernel.", "description_and_impact": "The VIDTV driver in the Linux kernel fails to decrement its nfeeds counter when starting a feed fails, leaving the driver state inconsistent. This state corruption causes the driver to skip starting the mux for subsequent feeds and to incorrectly attempt to stop non\u2011existent streams. The premature skip also prevents proper cleanup of partially allocated resources, which results in a memory leak. Together these issues can cause unstable media driver behavior and gradual kernel memory consumption growth.", "risk_and_exploitability": "The flaw manifests as an internal state corruption when a start_streaming call fails. In the Linux kernel this condition can only be triggered by code running with kernel privileges, implying a local attack vector. The CVSS score of 5.5 indicates medium severity, while the low EPSS score (<1%) and absence from the CISA KEV list reflect a low likelihood of exploitation. If an attacker gains the ability to execute kernel code, they could repeatedly trigger start_streaming failures that incrementally increase the nfeeds counter, leading to memory leaks and potential denial of service. This aligns with CWE\u2011911: Improper Restriction or Removal of Access to a Resource in the Presence of a Failure, as well as CWE\u2011401: Unreleased Resource. The applied fix decrements the counter on failure, restoring state consistency and preventing resource exhaustion."}}}}, "created": "2026-04-27T19:00:15.680721+00:00", "updated": "2026-04-28T23:45:16.061704+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}