{
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: media: mediatek: vcodec: fix use-after-free in encoder release path",
    "id" : "2461436",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461436"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmedia: mediatek: vcodec: fix use-after-free in encoder release path\nThe fops_vcodec_release() function frees the context structure (ctx)\nwithout first cancelling any pending or running work in ctx->encode_work.\nThis creates a race window where the workqueue handler (mtk_venc_worker)\nmay still be accessing the context memory after it has been freed.\nRace condition:\nCPU 0 (release path)               CPU 1 (workqueue)\n---------------------               ------------------\nfops_vcodec_release()\nv4l2_m2m_ctx_release()\nv4l2_m2m_cancel_job()\n// waits for m2m job \"done\"\nmtk_venc_worker()\nv4l2_m2m_job_finish()\n// m2m job \"done\"\n// BUT worker still running!\n// post-job_finish access:\nother ctx dereferences\n// UAF if ctx already freed\n// returns (job \"done\")\nkfree(ctx)  // ctx freed\nRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m job\nlifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.\nAfter v4l2_m2m_job_finish() is called, the m2m framework considers\nthe job complete and v4l2_m2m_ctx_release() returns, but the worker\nfunction continues executing and may still access ctx.\nThe work is queued during encode operations via:\nqueue_work(ctx->dev->encode_workqueue, &ctx->encode_work)\nThe worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx\nfields even after calling v4l2_m2m_job_finish().\nThis vulnerability was confirmed with KASAN by running an instrumented\ntest module that widens the post-job_finish race window. KASAN detected:\nBUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180\nRead of size 4 at addr ffff88800326e000 by task kworker/u8:0/12\nWorkqueue: mtk_vcodec_enc_wq mtk_venc_worker\nAllocated by task 47:\n__kasan_kmalloc+0x7f/0x90\nfops_vcodec_open+0x85/0x1a0\nFreed by task 47:\n__kasan_slab_free+0x43/0x70\nkfree+0xee/0x3a0\nfops_vcodec_release+0xb7/0x190\nFix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).\nThis ensures the workqueue handler is both cancelled (if pending) and\nsynchronized (waits for any running handler to complete) before the\ncontext is freed.\nPlacement rationale: The fix is placed after v4l2_ctrl_handler_free()\nand before list_del_init(&ctx->list). At this point, all m2m operations\nare done (v4l2_m2m_ctx_release() has returned), and we need to ensure\nthe workqueue is synchronized before removing ctx from the list and\nfreeing it.\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during device_run() operations.", "A flaw was found in the MediaTek vcodec driver within the Linux kernel. This use-after-free vulnerability occurs when the driver frees a context structure before ensuring that all pending or running workqueue operations have completed. A local attacker could exploit this race condition, potentially leading to a system crash (Denial of Service) or other unpredictable system behavior due to memory corruption." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31584\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31584\nhttps://lore.kernel.org/linux-cve-announce/2026042412-CVE-2026-31584-d806@gregkh/T" ],
  "name" : "CVE-2026-31584",
  "csaw" : false
}