CVE-2026-31583

Severity CVSS v4.0:

Pending analysis

Type:

CWE-416 Use After Free

Publication date:

24/04/2026

Last modified:

27/04/2026

Description

In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()&#39;s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL. Fix this by moving the mutex_lock() before the dev->v4l2 read and adding a NULL check for dev->v4l2 under the lock.

Impact

Vector 3.x

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

7.80

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:o:linux:linux_kernel::::::::		6.6.136 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	6.12 (including)	6.12.83 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	6.13 (including)	6.18.24 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	6.19 (including)	6.19.14 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	7.0 (including)	7.0.1 (excluding)

To consult the complete list of CPE names with products and versions, see this page

CVE-2026-31583

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools