In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix nfeeds state corruption on start_streaming failure
syzbot reported a memory leak in vidtvpsiservicedescinit [1].
When vidtvstartstreaming() fails inside vidtvstartfeed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent startfeed calls see nfeeds > 1 and skip starting the mux, while stopfeed calls eventually try to stop a non-existent stream.
This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early.
Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds.
[1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtvpsiservicedescinit+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtvpsi.c:288 vidtvchannels302minit+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtvchannel.c:83 vidtvchannelsinit+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtvchannel.c:524 vidtvmuxinit+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:518 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 [inline] vidtvstartfeed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31585.json",
"cna_assigner": "Linux"
}