CVE-2026-46058 Linux CVE debrief

Who should care

Linux system administrators running kernels with Amphion VPU support; embedded/IoT device manufacturers using NXP i.MX platforms with Amphion VPU hardware; security teams monitoring kernel media subsystem vulnerabilities

Technical summary

The Amphion VPU driver in the Linux kernel contains a race condition in the V4L2 memory-to-memory (m2m) framework integration. When v4l2_m2m_ctx_release() is called, it invokes job_abort() which calls v4l2_m2m_job_finish(), then frees the m2m_ctx structure. However, v4l2_m2m_try_run() may still attempt to call device_run() with the now-freed context, resulting in a use-after-free at offset 0x538 and kernel panic. The vulnerability is triggered by the driver's non-standard use of the m2m framework—it does not actually use device_run for encode/decode operations. The fix eliminates the race by: (1) adding a job_ready callback that always returns 0, preventing the m2m framework from scheduling jobs, and (2) removing the job_abort callback to prevent the problematic synchronization path.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available
• Monitor distribution security advisories for updated kernel packages
• Restrict untrusted local access to VPU devices until patched

Evidence notes

CVE published 2026-05-27. Kernel panic crash trace documented in commit messages. Multiple stable kernel branches patched.

Official resources