In the Linux kernel, the following vulnerability has been resolved:
media: amphion: Fix race between m2m jobabort and devicerun
Fix kernel panic caused by race condition where v4l2m2mctxrelease() frees m2mctx while v4l2m2mtryrun() is about to call devicerun with the same context.
Race sequence: v4l2m2mtryrun(): v4l2m2mctxrelease(): lock/unlock v4l2m2mcanceljob() jobabort() v4l2m2mjobfinish() kfree(m2mctx) <- frees ctx device_run() <- use-after-free crash at 0x538
Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2m2mtryrun+0x78/0x138 v4l2m2mdevicerun_work+0x14/0x20
The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations.
Fix the race by preventing m2m framework job scheduling entirely: - Add jobready callback returning 0 (no jobs ready for m2m framework) - Remove jobabort callback to avoid the race condition
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46058.json",
"cna_assigner": "Linux"
}