CVE-2026-31473
Published: 22 April 2026
Summary
CVE-2026-31473 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31473 is a use-after-free vulnerability in the Linux kernel's media controller (mc) and Video4Linux2 (v4l2) subsystems. It arises from a race condition where the MEDIA_REQUEST_IOC_REINIT ioctl can execute concurrently with VIDIOC_REQBUFS(0) queue teardown paths, allowing request object cleanup to race against vb2 queue cancellation. This affects request-capable media devices, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-416.
A local attacker with low privileges can exploit this vulnerability by triggering the concurrent operations, potentially leading to use-after-free memory corruption. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, denial of service, or data leakage within the kernel context.
Mitigation involves applying the upstream kernel patches referenced in the stable git commits, which extend serialization using the req_queue_mutex to cover REQBUFS operations and media_request_ioctl_reinit(). These changes ensure request cleanup and queue cancellation do not run in parallel for affected devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24825
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead…
more
to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free (race in mc/v4l2 ioctls) directly enables exploitation for privilege escalation to achieve arbitrary code execution or DoS from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely application of upstream kernel patches remediates the race condition between REINIT and REQBUFS operations that causes use-after-free.
Enforces memory protection mechanisms explicitly designed to protect against use-after-free memory corruption vulnerabilities like CVE-2026-31473.
Vulnerability monitoring and scanning identifies the kernel race condition flaw, facilitating remediation before exploitation.