CVE-2026-23253
Description
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty.
Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}.
The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions.
Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free or list corruption in Linux kernel's DVB ringbuffer due to reinitializing a shared waitqueue on device reopen.
Vulnerability
In the Linux kernel's DVB subsystem, the function dvb_dvr_open() calls dvb_ringbuffer_init() each time a new reader opens the DVR device. This reinitializes the waitqueue head (init_waitqueue_head()) inside the shared dmxdev->dvr_buffer.queue structure. Because the waitqueue is shared across all opens of the same DVR device, resetting the list head to {self, self} orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers [1][2].
Exploitation
An attacker with local access and the ability to open the DVR device multiple times (e.g., via /dev/dvb/adapter0/dvr0) can trigger the bug by having one file descriptor register a poll or io_uring wait on the buffer, then opening a second file descriptor on the same device. The second open reinitializes the shared waitqueue, corrupting the list of waiters. No special privileges beyond access to the DVR device node are required; the attack surface is local and unprivileged in typical configurations.
Impact
Successful exploitation can lead to use-after-free or list corruption in the kernel, potentially resulting in a denial of service (system crash) or, in some cases, arbitrary code execution due to corrupted kernel memory. The CVSS v3 score of 7.8 reflects the high impact on confidentiality, integrity, and availability given local access.
Mitigation
The fix replaces the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of buffer data/size and a call to dvb_ringbuffer_reset(), which resets read/write positions without touching the waitqueue or spinlock [1][2][3][4]. The patch has been applied to the stable kernel trees; users should update to a kernel containing the commit bfbc0b5b32a8 or later.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/32eb8e4adc207ef31bc6e5ae56bab940b0176066nvd
- git.kernel.org/stable/c/527cfa8a3486b3555c5c15e2f62be484a11398dcnvd
- git.kernel.org/stable/c/af050ab44fa1b1897a940d7d756e512232f5e5dfnvd
- git.kernel.org/stable/c/bfbc0b5b32a8f28ce284add619bf226716a59bc0nvd
- git.kernel.org/stable/c/cfd94642025e6f71c8f754bdec0800ee95e4f3ddnvd
- git.kernel.org/stable/c/d71781bad59b1c9d60d7068004581f9bf19c0c9dnvd
- git.kernel.org/stable/c/f1e520ca2e83ece6731af6167c9e5e16931ecba0nvd
- git.kernel.org/stable/c/fb378cf89be434ed1f10ab79cc4788fba8ae868dnvd
News mentions
0No linked articles in our index yet.