CVE-2026-46011
MEDIUMDescription
In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.
How to fix
Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Exploit Intelligence
Low risk: more likely to be exploited than 3% of all known CVEs.
References
Related Vulnerabilities
Other CWE-416 (Use After Free) vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2019-0708 | Critical | 9.8 | 100% | KEV + Ransom | - |
| CVE-2021-31166 | Critical | 9.8 | 100% | KEV | Fix |
| CVE-2015-5119 | Critical | 9.8 | 99% | KEV | - |
| CVE-2010-3962 | High | 8.1 | 97% | KEV | - |
| CVE-2015-0313 | Critical | 9.8 | 96% | KEV | Fix |
| CVE-2017-9798 | High | 7.5 | 95% | - | Fix |
Embed a live status badge for CVE-2026-46011
Markdown
[](https://tridentstack.com/cve/CVE-2026-46011)HTML
<a href="https://tridentstack.com/cve/CVE-2026-46011"><img src="https://tridentstack.com/cve/badge/CVE-2026-46011.svg" alt="CVE-2026-46011"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-16.