CVE-2026-46011

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/05/2026
Last modified:
16/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mtk-jpeg: fix use-after-free in release path due to uncancelled work<br /> <br /> The mtk_jpeg_release() function frees the context structure (ctx) without<br /> first cancelling any pending or running work in ctx-&gt;jpeg_work. This<br /> creates a race window where the workqueue callback may still be accessing<br /> the context memory after it has been freed.<br /> <br /> Race condition:<br /> <br /> CPU 0 (release) CPU 1 (workqueue)<br /> ---------------- ------------------<br /> close()<br /> mtk_jpeg_release()<br /> mtk_jpegenc_worker()<br /> ctx = work-&gt;data<br /> // accessing ctx<br /> <br /> kfree(ctx) // freed!<br /> access ctx // UAF!<br /> <br /> The work is queued via queue_work() during JPEG encode/decode operations<br /> (via mtk_jpeg_device_run). If the device is closed while work is pending<br /> or running, the work handler will access freed memory.<br /> <br /> Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This<br /> ordering is critical: if cancel_work_sync() is called after mutex_lock(),<br /> and the work handler also tries to acquire the same mutex, it would cause<br /> a deadlock.<br /> <br /> Note: The open error path does NOT need cancel_work_sync() because<br /> INIT_WORK() only initializes the work structure - it does not schedule<br /> it. Work is only scheduled later during ioctl operations.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.4 (excluding)