CVE-2026-31584

Source
https://cve.org/CVERecord?id=CVE-2026-31584
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31584.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31584
Downstream
Related
Published
2026-04-24T14:42:13.586Z
Modified
2026-06-24T18:29:23.226848645Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
media: mediatek: vcodec: fix use-after-free in encoder release path
Details

In the Linux kernel, the following vulnerability has been resolved:

media: mediatek: vcodec: fix use-after-free in encoder release path

The fopsvcodecrelease() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encodework. This creates a race window where the workqueue handler (mtkvenc_worker) may still be accessing the context memory after it has been freed.

Race condition:

CPU 0 (release path)               CPU 1 (workqueue)
---------------------               ------------------
fops_vcodec_release()
  v4l2_m2m_ctx_release()
    v4l2_m2m_cancel_job()
    // waits for m2m job "done"
                                    mtk_venc_worker()
                                      v4l2_m2m_job_finish()
                                      // m2m job "done"
                                      // BUT worker still running!
                                      // post-job_finish access:
                                    other ctx dereferences
                                      // UAF if ctx already freed
    // returns (job "done")
  kfree(ctx)  // ctx freed

Root cause: The v4l2m2mctxrelease() only waits for the m2m job lifecycle (via TRANSRUNNING flag), not the workqueue lifecycle. After v4l2m2mjobfinish() is called, the m2m framework considers the job complete and v4l2m2mctxrelease() returns, but the worker function continues executing and may still access ctx.

The work is queued during encode operations via: queuework(ctx->dev->encodeworkqueue, &ctx->encodework) The worker function accesses ctx->m2mctx, ctx->dev, and other ctx fields even after calling v4l2m2mjob_finish().

This vulnerability was confirmed with KASAN by running an instrumented test module that widens the post-job_finish race window. KASAN detected:

BUG: KASAN: slab-use-after-free in mtkvencworker+0x159/0x180 Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12

Workqueue: mtkvcodecencwq mtkvenc_worker

Allocated by task 47: _kasankmalloc+0x7f/0x90 fopsvcodecopen+0x85/0x1a0

Freed by task 47: __kasanslabfree+0x43/0x70 kfree+0xee/0x3a0 fopsvcodecrelease+0xb7/0x190

Fix this by calling cancelworksync(&ctx->encode_work) before kfree(ctx). This ensures the workqueue handler is both cancelled (if pending) and synchronized (waits for any running handler to complete) before the context is freed.

Placement rationale: The fix is placed after v4l2ctrlhandlerfree() and before listdelinit(&ctx->list). At this point, all m2m operations are done (v4l2m2mctxrelease() has returned), and we need to ensure the workqueue is synchronized before removing ctx from the list and freeing it.

Note: The open error path does NOT need cancelworksync() because INITWORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during devicerun() operations.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31584.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0934d37596151edce115c6d0843a9ad7d5e5d232
Fixed
9a9bdaf9dc42ccca50e53f82165292f74a365c11
Fixed
a8a55913552aed45108525d1851c65e1db0cc25b
Fixed
f99353cd0e9f58bf17889049137b8d65fb44ebf1
Fixed
93d9a58961a9e09306857e999b3ee76aa4be67f0
Fixed
f1692337c6fa26e04f89b22a4d84bf5b7ada50d1
Fixed
76e35091ffc722ba39b303e48bc5d08abb59dd56

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31584.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31584.json"