CVE-2026-46011
Description
In the Linux kernel, the following vulnerability has been resolved:
media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed.
Race condition:
CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx
kfree(ctx) // freed! access ctx // UAF!
The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory.
Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock.
Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel mtk-jpeg driver due to uncancelled work in release path, allowing potential memory corruption.
Vulnerability
A use-after-free vulnerability exists in the Linux kernel's mtk-jpeg driver. In the mtk_jpeg_release() function, the context structure (ctx) is freed without first cancelling any pending or running work queued via queue_work() in mtk_jpeg_device_run. This affects Linux kernel versions that include the mtk-jpeg driver; the fix is identified in commit e78c39f720679fcf3a2eacd82725ec3ea2648301 [1].
Exploitation
An attacker with local access to the system can trigger the race condition by initiating a JPEG encode or decode operation (via ioctl) and then closing the device file descriptor before the workqueue callback completes. The work handler (mtk_jpegenc_worker()) may still access the freed ctx memory after kfree() has been called. No special privileges beyond the ability to open and use the media device are required.
Impact
Successful exploitation results in a use-after-free condition, which can lead to kernel memory corruption, denial of service, or potentially privilege escalation. The attacker may be able to corrupt kernel structures or leak sensitive information, depending on the state of the freed memory.
Mitigation
The vulnerability is fixed in the Linux kernel by commit e78c39f720679fcf3a2eacd82725ec3ea2648301 [1]. Users should update their kernel to a version containing this fix. No workaround is available; the fix must be applied via a kernel update.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
100498b27a1542media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index ff269467635561..7560b9e3839465 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1213,6 +1213,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index ff269467635561..7560b9e3839465 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1213,6 +1213,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
26506a30e0e2media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 6268d651bdcfd2..a2518793c685a2 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1209,6 +1209,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 6268d651bdcfd2..a2518793c685a2 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1209,6 +1209,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
e78c39f72067media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
34c519feef3emedia: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
2209fdae5c2fmedia: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 4c7b46f5a7ddd5..5c513916cf721c 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1214,6 +1214,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 4c7b46f5a7ddd5..5c513916cf721c 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1214,6 +1214,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
e78c39f72067media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
2209fdae5c2fmedia: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 4c7b46f5a7ddd5..5c513916cf721c 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1214,6 +1214,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 4c7b46f5a7ddd5..5c513916cf721c 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1214,6 +1214,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
26506a30e0e2media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 6268d651bdcfd2..a2518793c685a2 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1209,6 +1209,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 6268d651bdcfd2..a2518793c685a2 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1209,6 +1209,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
34c519feef3emedia: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f61c..8c684756d5fc25 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
0498b27a1542media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
2 files changed · +2 −2
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index ff269467635561..7560b9e3839465 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1213,6 +1213,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c+1 −1 modifieddiff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index ff269467635561..7560b9e3839465 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1213,6 +1213,7 @@ static int mtk_jpeg_release(struct file *file) struct mtk_jpeg_dev *jpeg = video_drvdata(file); struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data); + cancel_work_sync(&ctx->jpeg_work); mutex_lock(&jpeg->lock); v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing cancellation of pending workqueue work before freeing the context structure in mtk_jpeg_release()."
Attack vector
An attacker with access to a Mediatek JPEG hardware device can trigger a use-after-free by closing the device file descriptor while a JPEG encode/decode work item is still pending or executing on the kernel workqueue. The work is queued via queue_work() during normal JPEG encode/decode operations (mtk_jpeg_device_run). When the attacker calls close() while work is still in flight, mtk_jpeg_release() frees the context (ctx) without first calling cancel_work_sync(), so the workqueue callback (mtk_jpegenc_worker()) may continue accessing the freed ctx memory [patch_id=2660461].
Affected code
The vulnerability is in the mtk_jpeg_release() function in drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c [patch_id=2660461]. The function frees the mtk_jpeg_ctx context structure without first cancelling ctx->jpeg_work, which is a work_struct that can be scheduled via queue_work() during JPEG encode/decode operations.
What the fix does
The fix adds a single call to cancel_work_sync(&ctx->jpeg_work) at the beginning of mtk_jpeg_release(), before the mutex_lock() call [patch_id=2660461]. This ensures any pending or running workqueue item finishes (or is cancelled) before the context structure is freed. The placement before mutex_lock() is critical: if cancel_work_sync() were called after mutex_lock(), and the work handler also tries to acquire the same mutex, a deadlock would occur. The open error path does not need this fix because INIT_WORK() only initializes the work structure and does not schedule it.
Preconditions
- configThe system must have a Mediatek JPEG hardware device with the mtk-jpeg driver loaded.
- authThe attacker must be able to open the V4L2 device node and initiate JPEG encode/decode operations (ioctl calls).
- inputThe attacker must close the device file descriptor while a previously queued work item is still pending or executing.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0498b27a1542021d90269d58347501d4c3ccd84envd
- git.kernel.org/stable/c/2209fdae5c2f615930c9af1379c1cfca199ec5d8nvd
- git.kernel.org/stable/c/26506a30e0e26d612f82a7bf0e395626968a44e6nvd
- git.kernel.org/stable/c/34c519feef3e4fcff1078dc8bdb25fbbbd10303fnvd
- git.kernel.org/stable/c/e78c39f720679fcf3a2eacd82725ec3ea2648301nvd
News mentions
0No linked articles in our index yet.