HarborGuard / CVE
Back to search
HIGHCVE-2026-46240Published Modified CNA Linux

CVE-2026-46240: media: iris: Fix use-after-free in iris_release_internal_buffers()

In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's iris media driver, specifically in the iris_release_internal_buffers() function. The flaw is reachable locally by a low-privileged user and does not require any network access or user interaction. Successful exploitation gives an attacker full read, write, and crash capability over the affected system. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46240 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that carry an affected kernel version. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard policy-driven workflow.

Available
Patch

A patched-image rebuild at fix versions 6.18.32, 6.20, or 7.0.9 (or commit 18c64439f249859b6140f7bf8bcf95c8ed841f28) becomes available on HarborGuard for any environment running an affected kernel image. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the vulnerable code is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerable code path in iris_release_internal_buffers().

  • Victim interactionNot required

    No user interaction is needed; the attacker can trigger the vulnerability directly without involving another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other environmental pre-conditions beyond local access.

Blast Radius

  • Reads arbitrary kernel memory, exposing credentials, session tokens, or other sensitive in-kernel data.
  • Writes to arbitrary kernel memory, allowing modification of kernel data structures or persisted state.
  • Crashes the affected kernel, causing a full system denial of service for all workloads on the host.
  • May be chained into a full local privilege escalation by corrupting kernel control-flow data.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images automatically within minutes of publication. For environments running an affected Linux kernel image, a patched rebuild at versions 6.18.32, 6.20, or 7.0.9 is available. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 7.8 (HIGH) severity and fix-version details so that operators can act manually. Because the vulnerable code path is local-only, a practical compensating control while patching is underway is to restrict untrusted local user access to the iris media device node using a host-level seccomp or device-cgroup policy.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

018c64439f249859b6140f7bf8bcf95c8ed841f286.18.326.207.0.97.1-rc3dd24998a4a4016fb9921916024399bd80f0d45c6f27cfdcfc916bb59297825805f4c3499f89f9e76
Affected packages
  • Linux / Linux
    < dd24998a4a4016fb9921916024399bd80f0d45c6 (from 7cde76db8883ec8a3d1456068079ecadbfb15ca5) · < 18c64439f249859b6140f7bf8bcf95c8ed841f28 (from 1dabf00ee206eceb0f08a1fe5d1ce635f9064338) · < f27cfdcfc916bb59297825805f4c3499f89f9e76 (from 1dabf00ee206eceb0f08a1fe5d1ce635f9064338) · d4457f23ac0130240053a34be663f0fade3bb371 · < 6.18.32 (from 6.18.16) · < 6.20 (from 6.19.6)
  • Linux / Linux
    7.0
    Fixed in 0, 6.18.32, 7.0.9, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References