In the Linux kernel, the following vulnerability has been resolved:
media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
The mtkjpegrelease() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed.
Race condition:
CPU 0 (release) CPU 1 (workqueue)
---------------- ------------------
close()
mtk_jpeg_release()
mtk_jpegenc_worker()
ctx = work->data
// accessing ctx
kfree(ctx) // freed!
access ctx // UAF!
The work is queued via queuework() during JPEG encode/decode operations (via mtkjpegdevicerun). If the device is closed while work is pending or running, the work handler will access freed memory.
Fix this by calling cancelworksync() BEFORE acquiring the mutex. This ordering is critical: if cancelworksync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock.
Note: The open error path does NOT need cancelworksync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46011.json"
}