CVE-2026-46011

Source
https://cve.org/CVERecord?id=CVE-2026-46011
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46011.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46011
Downstream
Related
Published
2026-05-27T12:56:13.198Z
Modified
2026-06-18T03:54:40.836556248Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
Details

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-jpeg: fix use-after-free in release path due to uncancelled work

The mtkjpegrelease() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed.

Race condition:

CPU 0 (release)                    CPU 1 (workqueue)
----------------                   ------------------
close()
  mtk_jpeg_release()
                                   mtk_jpegenc_worker()
                                     ctx = work->data
                                     // accessing ctx

    kfree(ctx)  // freed!
                                     access ctx  // UAF!

The work is queued via queuework() during JPEG encode/decode operations (via mtkjpegdevicerun). If the device is closed while work is pending or running, the work handler will access freed memory.

Fix this by calling cancelworksync() BEFORE acquiring the mutex. This ordering is critical: if cancelworksync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock.

Note: The open error path does NOT need cancelworksync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46011.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5fb1c2361e5630491d2a2f9359654eb022601bc0
Fixed
2209fdae5c2f615930c9af1379c1cfca199ec5d8
Fixed
0498b27a1542021d90269d58347501d4c3ccd84e
Fixed
26506a30e0e26d612f82a7bf0e395626968a44e6
Fixed
e78c39f720679fcf3a2eacd82725ec3ea2648301
Fixed
34c519feef3e4fcff1078dc8bdb25fbbbd10303f

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46011.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46011.json"