CVE-2026-31583
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/04/2026
Last modified:
24/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
media: em28xx: fix use-after-free in em28xx_v4l2_open()<br />
<br />
em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,<br />
creating a race with em28xx_v4l2_init()&#39;s error path and<br />
em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct<br />
and set dev->v4l2 to NULL under dev->lock.<br />
<br />
This race leads to two issues:<br />
- use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,<br />
since the video_device is embedded in the freed em28xx_v4l2 struct.<br />
- NULL pointer dereference in em28xx_resolution_set() when accessing<br />
v4l2->norm, since dev->v4l2 has been set to NULL.<br />
<br />
Fix this by moving the mutex_lock() before the dev->v4l2 read and<br />
adding a NULL check for dev->v4l2 under the lock.