PT-2026-43925 · Linux · Linux
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-46058
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
In the Linux kernel, the following vulnerability has been resolved:
media: amphion: Fix race between m2m job abort and device run
Fix kernel panic caused by race condition where v4l2 m2m ctx release()
frees m2m ctx while v4l2 m2m try run() is about to call device run
with the same context.
Race sequence:
v4l2 m2m try run(): v4l2 m2m ctx release():
lock/unlock v4l2 m2m cancel job()
job abort()
v4l2 m2m job finish()
kfree(m2m ctx) <- frees ctx
device run() <- use-after-free crash at 0x538
Crash trace:
Unable to handle kernel read from unreadable memory at virtual address
0000000000000538
v4l2 m2m try run+0x78/0x138
v4l2 m2m device run work+0x14/0x20
The amphion vpu driver does not rely on the m2m framework's device run
callback to perform encode/decode operations.
Fix the race by preventing m2m framework job scheduling entirely:
- Add job ready callback returning 0 (no jobs ready for m2m framework)
- Remove job abort callback to avoid the race condition
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux