Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-24T00:00:00 kernel: media: em28xx: fix use-after-free in em28xx_v4l2_open() 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CWE-367

In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL. Fix this by moving the mutex_lock() before the dev->v4l2 read and adding a NULL check for dev->v4l2 under the lock.

A flaw was found in the Linux kernel's em28xx media driver. This vulnerability, a type of memory corruption, arises from a race condition where the driver attempts to use memory that has already been freed or access a null pointer. This can be triggered when the `em28xx_v4l2_open()` function is called without proper synchronization. Successful exploitation could lead to system instability or a denial of service, making the system unresponsive.

The em28xx V4L2 open path raced disconnect; upstream fixes UAF during device teardown. Red Hat recommends kernel errata for systems with em28xx-based USB tuners. Unload `em28xx` if the hardware is not required. To mitigate this issue, prevent the em28xx module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31583 https://nvd.nist.gov/vuln/detail/CVE-2026-31583 https://lore.kernel.org/linux-cve-announce/2026042412-CVE-2026-31583-edcc@gregkh/T