CVE-2026-46240 Linux CVE debrief

Who should care

Organizations running Linux systems with Qualcomm Snapdragon platforms utilizing video encoding/decoding capabilities; embedded/IoT device manufacturers using Qualcomm IRIS video codecs; kernel maintainers and distribution security teams packaging stable kernel updates

Technical summary

The vulnerability exists in the Qualcomm IRIS (Image Signal Processor) video driver within the Linux kernel media subsystem. The regression was introduced when internal buffer destruction was moved to occur after firmware release. The function iris_release_internal_buffers() calls session_release_buf(), which may free the buffer structure. The original code continued to access the buffer pointer after this call, creating a use-after-free condition. The fix implements a state flag pattern: BUF_ATTR_PENDING_RELEASE is set before the release call, and reverted only if the call fails. This ensures no pointer dereference occurs after potential memory freeing. The IRIS driver handles video codec operations on Qualcomm platforms; exploitation would require local access to trigger the buffer release code path.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits to systems using the Qualcomm IRIS video driver
• Monitor vendor security advisories for distribution-specific kernel packages
• Review systems with video encoding/decoding workloads on Qualcomm platforms for stability issues
• Validate kernel version against fixed commits in stable branches

Evidence notes

The CVE description explicitly identifies this as a regression from commit 1dabf00ee206 (media: iris: gen1: Destroy internal buffers after FW releases). The fix pattern involves setting BUF_ATTR_PENDING_RELEASE before session_release_buf() to prevent use-after-free. Three stable kernel commits are referenced as fixes.

Official resources