CVE-2026-31585

Source
https://cve.org/CVERecord?id=CVE-2026-31585
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31585.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31585
Downstream
Related
Published
2026-04-24T14:42:14.266Z
Modified
2026-06-18T03:55:25.228899401Z
Summary
media: vidtv: fix nfeeds state corruption on start_streaming failure
Details

In the Linux kernel, the following vulnerability has been resolved:

media: vidtv: fix nfeeds state corruption on start_streaming failure

syzbot reported a memory leak in vidtvpsiservicedescinit [1].

When vidtvstartstreaming() fails inside vidtvstartfeed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent startfeed calls see nfeeds > 1 and skip starting the mux, while stopfeed calls eventually try to stop a non-existent stream.

This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early.

Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds.

[1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtvpsiservicedescinit+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtvpsi.c:288 vidtvchannels302minit+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtvchannel.c:83 vidtvchannelsinit+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtvchannel.c:524 vidtvmuxinit+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:518 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 [inline] vidtvstartfeed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31585.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f90cf6079bf67988f8b1ad1ade70fc89d0080905
Fixed
f8cccb427e65d725fc0ba05e8900b4676eda268e
Fixed
60f768d46df561e06d92ffcacc00909f37a0f23d
Fixed
80900b5424f3454256153ce386388df43b324f63
Fixed
17cb7957c979529cc98ff57f7ac331532f1f7c83
Fixed
98c22210aeadce67d9d20059f0dbbd01ba7fdbba
Fixed
25f19e476ab15defe698504212899fdb9f7cd61b
Fixed
83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd
Fixed
4bf95f797edd63c93330eafb6d6e670982344b9b
Fixed
a0e5a598fe9a4612b852406b51153b881592aede

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31585.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.10.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31585.json"