CVE-2026-31585
Description
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix nfeeds state corruption on start_streaming failure
syzbot reported a memory leak in vidtv_psi_service_desc_init [1].
When vidtv_start_streaming() fails inside vidtv_start_feed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent start_feed calls see nfeeds > 1 and skip starting the mux, while stop_feed calls eventually try to stop a non-existent stream.
This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early.
Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds.
[1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288 vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83 vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524 vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel vidtv driver had a state corruption bug where nfeeds was incremented even on start_streaming failure, leading to memory leaks and mux state corruption.
Root
Cause In the vidtv driver, when a DVB feed is started via vidtv_start_feed(), the nfeeds counter is incremented before calling vidtv_start_streaming(). If start_streaming() fails, nfeeds is not decremented back, leaving the driver state inconsistent. This inconsistency causes subsequent start_feed() calls to incorrectly believe feeds are already active, skipping mux initialization, while stop_feed() calls may attempt to stop a non-existent stream [1].
Exploitation
A local user with access to the DVB device can trigger this by opening a frontend and initiating feeder operations while causing start_streaming() to fail (e.g., through resource exhaustion). No authentication is required beyond standard device access. The bug is reachable via the media subsystem's test driver interfaces.
Impact
An attacker exploiting this state corruption can cause memory leaks: resources allocated during the partial start_streaming (such as service descriptors) are never freed because the stop path returns early when dvb->streaming is false [1]. Additionally, subsequent feed operations may behave incorrectly, potentially leading to denial-of-service conditions.
Mitigation
A fix has been applied in the Linux kernel (commit 25f19e476ab1) that decrements nfeeds when start_streaming() fails, restoring state consistency [1]. Users should update their kernel to include this commit or any later stable release containing the backport.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83nvdPatch
- git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61bnvdPatch
- git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9bnvdPatch
- git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccdnvdPatch
- git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbbanvdPatch
- git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aedenvdPatch
News mentions
0No linked articles in our index yet.