CVE-2026-31584

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the MediaTek vcodec encoder release path. The fops vcodec release() function frees the context structure ctx without cancelling pending or running work in ctx->encode work. This creates a race condition where the workqueue handler mtk venc worker() may access the context memory after it has been freed. The root cause is that v4l2 m2m ctx release() only waits for the m2m job lifecycle and not the workqueue lifecycle, allowing the worker function to continue executing and dereference ctx after the m2m framework considers the job complete.

Recommendations As a temporary workaround, restrict access to the MediaTek vcodec encoder components until a patch is applied. Update the Linux kernel to a version where cancel work sync() is called for ctx->encode work before kfree(ctx) in the fops vcodec release() function.