CVE-2026-46240 Overview
CVE-2026-46240 is a use-after-free vulnerability in the Linux kernel's iris media driver. The flaw resides in the iris_release_internal_buffers() function, where session_release_buf() may free a buffer while the caller continues to dereference it. The regression was introduced by commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases"). Upstream maintainers resolved the issue by setting the BUF_ATTR_PENDING_RELEASE flag prior to calling session_release_buf() and reverting the flag if the call fails. This sequencing guarantees that no dereference occurs after a potential free.
Critical Impact
A use-after-free in kernel memory can lead to memory corruption, kernel crashes, or local privilege escalation if an attacker can influence the freed object's lifecycle.
Affected Products
- Linux kernel versions containing commit 1dabf00ee206 in the iris media driver
- Linux kernel stable branches prior to the fix commits 18c64439f249, dd24998a4a40, and f27cfdcfc916
- Systems leveraging the Qualcomm iris video codec driver under drivers/media/platform
Discovery Timeline
- 2026-05-28 - CVE-2026-46240 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46240
Vulnerability Analysis
The vulnerability is a classic use-after-free [CWE-416] in the kernel's iris media driver. Inside iris_release_internal_buffers(), the function invokes session_release_buf() on an internal buffer object. The introducing commit altered session_release_buf() semantics so that the buffer can be destroyed before control returns to the caller. Despite the freed state, the caller proceeds to access fields of the buffer pointer, producing a dangling-pointer dereference.
Use-after-free conditions in kernel context are dangerous because the slab allocator may reuse the freed memory for unrelated objects. An adjacent allocation can place attacker-influenced data into the freed slot, turning the stale read or write into an information disclosure, kernel panic, or potential code execution primitive.
Root Cause
The root cause is an ownership and lifetime mismatch between iris_release_internal_buffers() and session_release_buf(). After the commit 1dabf00ee206 change, the callee assumed responsibility for freeing the buffer in certain paths, but the caller was not updated to stop using the pointer afterward. The fix introduces a state flag, BUF_ATTR_PENDING_RELEASE, that is set before the call and reverted only when the release fails, ensuring deterministic ownership transfer.
Attack Vector
Triggering the bug requires local interaction with the affected video codec driver, typically through a V4L2 user-space client that exercises buffer allocation and release paths. An unprivileged local user with access to the iris device node could repeatedly invoke buffer release operations to race or exercise the freed-pointer path. The exact exploitability depends on slab layout and timing within the firmware release sequence.
No public proof-of-concept is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability mechanism is documented in the upstream patch commits referenced in the kernel.org stable tree.
Detection Methods for CVE-2026-46240
Indicators of Compromise
- Kernel oops or panic logs referencing iris_release_internal_buffers or session_release_buf in the call trace
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in drivers/media/platform/qcom/iris/
- Unexpected media subsystem crashes on devices using the Qualcomm iris video accelerator
Detection Strategies
- Enable CONFIG_KASAN on test kernels to surface use-after-free conditions in the iris driver during fuzzing or regression testing
- Audit installed kernel package versions across Linux fleets and compare against the fixed stable commits 18c64439f249, dd24998a4a40, and f27cfdcfc916
- Run syzkaller or V4L2 stress harnesses against media device nodes to identify reproducible crashes
Monitoring Recommendations
- Forward /var/log/kern.log and dmesg output to a centralized logging platform and alert on BUG: KASAN, general protection fault, or iris driver stack frames
- Track kernel version inventory continuously to detect unpatched hosts running vulnerable builds
- Monitor abnormal process termination patterns from user-space video applications that may indicate driver instability
How to Mitigate CVE-2026-46240
Immediate Actions Required
- Apply the upstream kernel patches from commits 18c64439f249859b6140f7bf8bcf95c8ed841f28, dd24998a4a4016fb9921916024399bd80f0d45c6, and f27cfdcfc916bb59297825805f4c3499f89f9e76
- Update to the latest stable kernel release supplied by your Linux distribution that incorporates these fixes
- Restrict access to /dev/video* device nodes to trusted users and groups only
Patch Information
The upstream fix sets BUF_ATTR_PENDING_RELEASE on the buffer before calling session_release_buf(), then reverts the flag if the release fails. This eliminates the window in which the caller could dereference a freed buffer. The patches are available at the kernel.org stable tree, with additional backports at commit dd24998a and commit f27cfdcf.
Workarounds
- Unload the iris kernel module on systems that do not require Qualcomm video codec acceleration using modprobe -r iris_vpu
- Apply udev rules to limit device node permissions to administrative accounts until patching is complete
- Disable the affected media subsystem in kernel configuration (CONFIG_VIDEO_QCOM_IRIS=n) for custom builds where the feature is unused
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
