CVE-2026-46210

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: iris: fix use-after-free of fmt_src during MBPF check<br /> <br /> During concurrency testing, multiple instances can run in parallel, and<br /> each instance uses its own inst-&gt;lock while the core-&gt;lock protects the<br /> list of active instances. The race happens because these locks cover<br /> different scopes, inst-&gt;lock protects only the internals of a single<br /> instance, while the Macro Blocks Per Frame (MBPF) checker walks the<br /> core list under core-&gt;lock and reads fields like fmt_src-&gt;width and<br /> fmt_src-&gt;height. At the same time, iris_close() may free fmt_src and<br /> fmt_dst under inst-&gt;lock while the instance is still present in the core<br /> list. This allows a situation where the MBPF checker, still iterating<br /> through the core list, reaches an instance whose fmt_src was already<br /> freed by another thread and ends up dereferencing a dangling pointer,<br /> resulting in a use-after-free. This happens because the MBPF checker<br /> assumes that any instance in the core list is fully valid, but the<br /> freeing of fmt_src and fmt_dst without removing the instance from the<br /> core list is not correct.<br /> <br /> The correct ordering is to defer freeing fmt_src and fmt_dst until after<br /> the instance has been removed from the core list and all teardown under<br /> the core lock has completed, ensuring that no dangling pointers are ever<br /> exposed during MBPF checks.