{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31473", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:00.970Z", "dateUpdated": "2026-05-11T22:09:24.920Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:24.920Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex\n\nMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)\nqueue teardown paths. This can race request object cleanup against vb2\nqueue cancellation and lead to use-after-free reports.\n\nWe already serialize request queueing against STREAMON/OFF with\nreq_queue_mutex. Extend that serialization to REQBUFS, and also take\nthe same mutex in media_request_ioctl_reinit() so REINIT is in the\nsame exclusion domain.\n\nThis keeps request cleanup and queue cancellation from running in\nparallel for request-capable devices."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/mc/mc-request.c", "drivers/media/v4l2-core/v4l2-ioctl.c"], "versions": [{"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "331242998a7ade5c2f65e14988901614629f3db5", "status": "affected", "versionType": "git"}, {"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "2c685e99efb3b3bd2b78699fba6b1cf321975db0", "status": "affected", "versionType": "git"}, {"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "585fd9a2063dacce8b2820f675ef23d5d17434c5", "status": "affected", "versionType": "git"}, {"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "1a0d9083c24fbd5d22f7100f09d11e4d696a5f01", "status": "affected", "versionType": "git"}, {"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "d8549a453d5bdc0a71de66ad47a1106703406a56", "status": "affected", "versionType": "git"}, {"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "72b9e81e0203f03c40f3adb457f55bd4c8eb112d", "status": "affected", "versionType": "git"}, {"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "cf2023e84f0888f96f4b65dc0804e7f3651969c1", "status": "affected", "versionType": "git"}, {"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9", "lessThan": "bef4f4a88b73e4cc550d25f665b8a9952af22773", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/mc/mc-request.c", "drivers/media/v4l2-core/v4l2-ioctl.c"], "versions": [{"version": "4.20", "status": "affected"}, {"version": "0", "lessThan": "4.20", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/331242998a7ade5c2f65e14988901614629f3db5"}, {"url": "https://git.kernel.org/stable/c/2c685e99efb3b3bd2b78699fba6b1cf321975db0"}, {"url": "https://git.kernel.org/stable/c/585fd9a2063dacce8b2820f675ef23d5d17434c5"}, {"url": "https://git.kernel.org/stable/c/1a0d9083c24fbd5d22f7100f09d11e4d696a5f01"}, {"url": "https://git.kernel.org/stable/c/d8549a453d5bdc0a71de66ad47a1106703406a56"}, {"url": "https://git.kernel.org/stable/c/72b9e81e0203f03c40f3adb457f55bd4c8eb112d"}, {"url": "https://git.kernel.org/stable/c/cf2023e84f0888f96f4b65dc0804e7f3651969c1"}, {"url": "https://git.kernel.org/stable/c/bef4f4a88b73e4cc550d25f665b8a9952af22773"}], "title": "media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "99763E34-9798-4EED-94CE-E0AFF0E63F37", "versionEndExcluding": "5.10.253", "versionStartIncluding": "4.20.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.20:-:*:*:*:*:*:*", "matchCriteriaId": "1072305B-94A8-4D68-9419-B786885AA310", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex\n\nMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)\nqueue teardown paths. This can race request object cleanup against vb2\nqueue cancellation and lead to use-after-free reports.\n\nWe already serialize request queueing against STREAMON/OFF with\nreq_queue_mutex. Extend that serialization to REQBUFS, and also take\nthe same mutex in media_request_ioctl_reinit() so REINIT is in the\nsame exclusion domain.\n\nThis keeps request cleanup and queue cancellation from running in\nparallel for request-capable devices."}], "id": "CVE-2026-31473", "lastModified": "2026-04-27T23:27:42.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:43.863", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1a0d9083c24fbd5d22f7100f09d11e4d696a5f01"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2c685e99efb3b3bd2b78699fba6b1cf321975db0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/331242998a7ade5c2f65e14988901614629f3db5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/585fd9a2063dacce8b2820f675ef23d5d17434c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/72b9e81e0203f03c40f3adb457f55bd4c8eb112d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bef4f4a88b73e4cc550d25f665b8a9952af22773"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cf2023e84f0888f96f4b65dc0804e7f3651969c1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d8549a453d5bdc0a71de66ad47a1106703406a56"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex", "id": "2460734", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460734"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-364", "details": ["A flaw was found in the Linux kernel's media, mc, and v4l2 subsystems. A race condition can occur when MEDIA_REQUEST_IOC_REINIT runs concurrently with VIDIOC_REQBUFS(0) queue teardown paths, leading to a use-after-free vulnerability. This flaw could allow a local attacker to cause a system crash (denial of service) or potentially execute arbitrary code with elevated privileges."], "name": "CVE-2026-31473", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31473\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31473\nhttps://lore.kernel.org/linux-cve-announce/2026042255-CVE-2026-31473-fad0@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d1f4ce34b072acf9,331242998a7ade5c2f65e14988901614629f3db5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d1f4ce34b072acf9,2c685e99efb3b3bd2b78699fba6b1cf321975db0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d1f4ce34b072acf9,585fd9a2063dacce8b2820f675ef23d5d17434c5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d1f4ce34b072acf9,1a0d9083c24fbd5d22f7100f09d11e4d696a5f01)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d1f4ce34b072acf9,d8549a453d5bdc0a71de66ad47a1106703406a56)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d1f4ce34b072acf9,72b9e81e0203f03c40f3adb457f55bd4c8eb112d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d1f4ce34b072acf9,cf2023e84f0888f96f4b65dc0804e7f3651969c1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6093d3002eabd7c2913d97f1d2f4ce34b072acf9,bef4f4a88b73e4cc550d25f665b8a9952af22773)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.20"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.20)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:00:48.702851+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the commit that serializes REINIT and REQBUFS with req_queue_mutex (referenced in the advisory).", "Limit user access to the affected media devices by adjusting device permissions or udev rules, thereby restricting the ability to issue concurrent ioctl operations.", "If a kernel upgrade cannot be performed immediately, disable the media request interface or block v4l2 buffer queue usage through module parameters or system configuration to mitigate race conditions."], "summary": {"action": "Immediate patch", "impact": "Use\u2011after\u2011free in Linux media drivers can lead to code execution or a kernel crash"}, "threat_synthesis": {"affected_systems": "This issue affects any Linux kernel that implements media request handling for mc and v4l2 instances, i.e. all media request\u2011capable devices before the fix is applied. No specific version numbers are listed, so systems running unpatched kernels relying on the media and video4linux interfaces are potentially vulnerable.", "description_and_impact": "In the Linux kernel, a race condition exists between the media request reinitialization control operation (MEDIA_REQUEST_IOC_REINIT) and the same driver\u2019s buffer queue management ioctl (VIDIOC_REQBUFS). When these calls are executed concurrently, the cleanup of a request object can collide with the cancellation of the v4l2 buffer queue, resulting in a use\u2011after\u2011free condition. This flaw is a classic use\u2011after\u2011free bug (CWE\u2011416) as well as a race condition during resource cleanup (CWE\u2011364) and can potentially lead to arbitrary code execution or a kernel crash if an attacker can trigger the race.", "risk_and_exploitability": "The EPSS score is < 1%, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating limited known exploitation. Nonetheless, because the flaw requires only local interaction with a media device, a privileged user or a compromised application could intentionally trigger the race. The resulting memory corruption could provide a path to privilege escalation or denial of service. Attacks would likely stem from locally executing code that issues the two ioctls simultaneously or from a malicious driver. The CVSS score is 7.8."}}}}, "created": "2026-04-22T16:45:21.250760+00:00", "updated": "2026-04-28T21:15:39.666932+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}