CVE-2026-46240 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

media: iris: Fix use-after-free in iris_release_internal_buffers()

The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy
internal buffers after FW releases") introduced a regression where
session_release_buf() may free the buffer. The caller,
iris_release_internal_buffers(), continued to access `buffer` after the
call, leading to a potential use-after-free.

Fix this by setting BUF_ATTR_PENDING_RELEASE before calling
session_release_buf(), and reverting the flag if the call fails. This
ensures no dereference occurs after potential freeing.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7cde76db8883ec8a3d1456068079ecadbfb15ca5`	affected	< dd24998a4a4016fb9921916024399bd80f0d45c6
`1dabf00ee206eceb0f08a1fe5d1ce635f9064338`	affected	< 18c64439f249859b6140f7bf8bcf95c8ed841f28
`1dabf00ee206eceb0f08a1fe5d1ce635f9064338`	affected	< f27cfdcfc916bb59297825805f4c3499f89f9e76
`d4457f23ac0130240053a34be663f0fade3bb371`	affected	—
`6.18.16`	affected	< 6.18.32
`6.19.6`	affected	< 6.20

Linux

affected

Version	Status	Constraints
`7.0`	affected	—
`0`	unaffected	< 7.0
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/18c64439f249859b6140f7bf8bcf95c8ed841f28
https://git.kernel.org/stable/c/dd24998a4a4016fb9921916024399bd80f0d45c6
https://git.kernel.org/stable/c/f27cfdcfc916bb59297825805f4c3499f89f9e76

History

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.
Title		media: iris: Fix use-after-free in iris_release_internal_buffers()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/18c64439f249859b6140f7bf8bcf95c8ed841f28 https://git.kernel.org/stable/c/dd24998a4a4016fb9921916024399bd80f0d45c6 https://git.kernel.org/stable/c/f27cfdcfc916bb59297825805f4c3499f89f9e76

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:41:08.376Z

Updated: 2026-05-28T09:41:08.376Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46240

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T10:16:39.613

Modified: 2026-05-28T10:16:39.613

Link: CVE-2026-46240

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object