HarborGuard / CVE
Back to search
HIGHCVE-2026-46210Published Modified CNA Linux

CVE-2026-46210: media: iris: fix use-after-free of fmt_src during MBPF check

In the Linux kernel, the following vulnerability has been resolved: media: iris: fix use-after-free of fmt_src during MBPF check During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct. The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's media iris driver, specifically in the Macro Blocks Per Frame (MBPF) checker. An attacker with a low-privilege local account can trigger a race condition during concurrent instance teardown, causing the kernel to dereference a pointer to already-freed memory. Successful exploitation gives the attacker full read, write, and crash capability over the affected system. A patched-image rebuild at the fix version is available on HarborGuard for environments running an affected kernel.

HarborGuard Coverage

Detection

Detection of CVE-2026-46210 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images that bundle an affected kernel or kernel modules.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 (HIGH) and weighting that score against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.

Available
Patch

A patched-image rebuild at the fix commits (3d9593ad1a58c5acc3e5fa2a48222bb7632e6812, 494ffd1712a588e590e6b1e9f876a8c8b24a9180) and tagged release 7.0.9 or 7.1-rc3 becomes available on HarborGuard for affected images once the upstream fix is confirmed present in the base layer. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to trigger the race condition.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to open concurrent media iris instances and race the teardown path.

  • Victim interactionNot required

    No user interaction is needed; the attacker triggers the race entirely through their own process activity.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on specific memory layout, timing windows beyond the natural concurrency of the driver, or other hard-to-control environmental factors.

Blast Radius

  • A successful attacker reads arbitrary kernel memory reachable through the dangling fmt_src pointer, exposing kernel data structures and potentially sensitive in-memory content.
  • The attacker writes through the freed pointer, enabling corruption of kernel heap memory and potential privilege escalation to root.
  • Dereferencing the freed pointer can crash the kernel outright, taking down all workloads on the affected node.
  • Any container sharing the host kernel is exposed, since kernel memory corruption is not bounded by container namespace isolation.

How HarborGuard Handles This

Available on HarborGuard: images built on Linux kernels in the affected range (prior to 494ffd1712a588e590e6b1e9f876a8c8b24a9180 or 3d9593ad1a58c5acc3e5fa2a48222bb7632e6812, originating from 5ad964ad5656668399f00c76707f0d063b64a4b1) can be matched and flagged at ingest. Where a customer's base image has been updated to kernel 7.0.9 or 7.1-rc3 (or the equivalent upstream commit), HarborGuard can produce a rebuilt image and verify the fix is present. For customers with auto-remediation enabled, HarborGuard targets a median time of roughly 90 minutes from CVE publication to a merged patch PR for high-severity issues. Until a rebuild is confirmed in a given environment, compensating controls include restricting access to the media iris device node via Linux device cgroup rules, limiting concurrent video codec workloads to trusted processes, and applying network-policy isolation to reduce the footprint of any process that has local access to the host.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

03d9593ad1a58c5acc3e5fa2a48222bb7632e6812494ffd1712a588e590e6b1e9f876a8c8b24a91807.0.97.1-rc3
Affected packages
  • Linux / Linux
    < 494ffd1712a588e590e6b1e9f876a8c8b24a9180 (from 5ad964ad5656668399f00c76707f0d063b64a4b1) · < 3d9593ad1a58c5acc3e5fa2a48222bb7632e6812 (from 5ad964ad5656668399f00c76707f0d063b64a4b1)
  • Linux / Linux
    6.18
    Fixed in 0, 7.0.9, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References