CVE-2026-46210 Linux CVE debrief

Who should care

Organizations running Linux systems with Qualcomm IRIS video acceleration hardware, particularly those with multi-threaded video encoding/decoding workloads or containerized environments where multiple video instances may operate concurrently.

Technical summary

The vulnerability is a use-after-free (CWE-416) in the Qualcomm IRIS video driver, triggered by a race condition between the MBPF (Macro Blocks Per Frame) validation logic and instance closure. The MBPF checker holds core->lock and traverses the instance list, reading fmt_src dimensions. Concurrently, iris_close() acquires inst->lock and frees fmt_src/fmt_dst while the instance remains in the core list. The fix restructures teardown to: (1) acquire core->lock, (2) remove instance from core list, (3) release core->lock, (4) then free format structures under inst->lock. This ensures no concurrent MBPF check can access freed memory.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from the stable kernel git repository when available for your distribution
• Verify kernel version includes fixes for the IRIS media driver race condition
• Review systems utilizing Qualcomm IRIS video acceleration for kernel update scheduling
• Monitor vendor security advisories for backported fixes if running long-term support kernel versions

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-28. The fix involves two kernel commits addressing the race condition in the IRIS media driver. The flaw affects concurrency scenarios where multiple video encoder/decoder instances operate simultaneously.

Official resources