PT-2026-44333 · Linux · Linux Kernel
Published
2026-05-28
·
Updated
2026-06-10
·
CVE-2026-46210
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 7.0.11-1.1
Description
A use-after-free issue exists in the iris media driver. A race condition occurs because the
inst->lock protects individual instance internals while the core->lock protects the active instance list. The Macro Blocks Per Frame (MBPF) checker iterates through the core list under core->lock and accesses fmt src->width and fmt src->height. Simultaneously, the iris close() function may free fmt src and fmt dst under inst->lock before the instance is removed from the core list. This leads to the MBPF checker dereferencing a dangling pointer for an instance whose fmt src has already been freed.Recommendations
Update to version 7.0.11-1.1.
Exploit
Fix
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linux Kernel