VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46240

CVE-2026-46240

Description

In the Linux kernel, the following vulnerability has been resolved:

media: iris: Fix use-after-free in iris_release_internal_buffers()

The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access buffer after the call, leading to a potential use-after-free.

Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's Iris media driver, a use-after-free in iris_release_internal_buffers() can occur when session_release_buf() frees the buffer before the caller finishes using it, fixed by setting a pending flag before release.

Vulnerability

A use-after-free vulnerability exists in the Linux kernel's Iris media driver, specifically in iris_release_internal_buffers(). The issue was introduced by commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases"), which allowed session_release_buf() to free the buffer object while the caller continued to access it. Affected versions include those containing this commit; the fix is applied to the stable branches [1][2][3].

Exploitation

An attacker does not require special privileges to trigger this bug; it can be reached when the driver releases internal buffers during normal operation or cleanup. The code path in iris_release_internal_buffers() calls session_release_buf(), which may deallocate the buffer. Since the caller then reads or writes buffer after the call, a race or simple sequence can cause use-after-free. No specific user interaction is needed beyond the driver performing buffer release [1].

Impact

Successful exploitation of this use-after-free can lead to memory corruption, potentially resulting in system crash (denial of service) or, in some cases, privilege escalation if an attacker can control the freed memory. The vulnerability affects confidentiality, integrity, and availability, though the primary risk is denial-of-service or unstable behavior [1].

Mitigation

The fix is available in the Linux kernel stable repositories. The commit updates iris_release_internal_buffers() to set BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverts the flag if the call fails, ensuring no dereference after potential freeing. Users should apply the corresponding stable kernel updates as soon as possible. No workarounds are documented; the affected driver code is specific to the Iris media driver [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
18c64439f249

media: iris: Fix use-after-free in iris_release_internal_buffers()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDikshita AgarwalFeb 16, 2026Fixed in 7.0.9via kernel-cna
commit
2 files changed · +8 6
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
f27cfdcfc916

media: iris: Fix use-after-free in iris_release_internal_buffers()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDikshita AgarwalFeb 16, 2026Fixed in 7.1-rc3via kernel-cna
commit
2 files changed · +8 6
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
dd24998a4a40

media: iris: Fix use-after-free in iris_release_internal_buffers()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDikshita AgarwalFeb 16, 2026Fixed in 6.18.32via kernel-cna
commit
2 files changed · +8 6
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 006ad855a8e518..11eb205f864603 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -571,10 +571,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 006ad855a8e518..11eb205f864603 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -571,10 +571,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
dd24998a4a40

media: iris: Fix use-after-free in iris_release_internal_buffers()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDikshita AgarwalFeb 16, 2026via nvd-ref
commit
2 files changed · +8 6
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 006ad855a8e518..11eb205f864603 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -571,10 +571,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 006ad855a8e518..11eb205f864603 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -571,10 +571,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
f27cfdcfc916

media: iris: Fix use-after-free in iris_release_internal_buffers()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDikshita AgarwalFeb 16, 2026via nvd-ref
commit
2 files changed · +8 6
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
18c64439f249

media: iris: Fix use-after-free in iris_release_internal_buffers()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDikshita AgarwalFeb 16, 2026via nvd-ref
commit
2 files changed · +8 6
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg
  • drivers/media/platform/qcom/iris/iris_buffer.c+4 3 modified
    diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media/platform/qcom/iris/iris_buffer.c
index 9151f43bc6b9c2..1d53c7414b754b 100644
--- a/drivers/media/platform/qcom/iris/iris_buffer.c
+++ b/drivers/media/platform/qcom/iris/iris_buffer.c
@@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_inst *inst,
 			continue;
 		if (!(buffer->attr & BUF_ATTR_QUEUED))
 			continue;
+		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
 		ret = hfi_ops->session_release_buf(inst, buffer);
-		if (ret)
+		if (ret) {
+			buffer->attr &= ~BUF_ATTR_PENDING_RELEASE;
 			return ret;
-		buffer->attr |= BUF_ATTR_PENDING_RELEASE;
+		}
 	}
 
 	return 0;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Use-after-free in iris_release_internal_buffers() where buffer->attr is written after session_release_buf() may have freed the buffer."

Attack vector

An attacker triggers the use-after-free by causing the kernel to release internal buffers via `iris_release_internal_buffers()`. When `session_release_buf()` succeeds, it may free the buffer object. The original code then wrote to `buffer->attr` after the buffer was freed, accessing freed memory. The attacker does not directly control the buffer release path; the bug is a local denial-of-service or memory-corruption risk triggered during normal buffer teardown operations in the Qualcomm Iris video driver.

Affected code

The vulnerable function is `iris_release_internal_buffers()` in `drivers/media/platform/qcom/iris/iris_buffer.c` [patch_id=2897483]. The bug is in the loop that calls `session_release_buf()` and then accesses `buffer->attr` after the call, when `session_release_buf()` may have already freed the buffer.

What the fix does

The patch moves the `BUF_ATTR_PENDING_RELEASE` flag assignment to *before* the call to `session_release_buf()`, and only reverts it if the call fails [patch_id=2897483]. This ensures that no write to `buffer->attr` occurs after the buffer may have been freed. If `session_release_buf()` succeeds and frees the buffer, the flag is already set and no further access to `buffer` happens. If the call fails, the flag is cleared and the error is returned.

Preconditions

  • configThe kernel must be running the Qualcomm Iris video driver with the faulty commit 1dabf00ee206 applied.
  • inputA video session must be active such that internal buffers are queued and then released.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.