Cyber Resilience

CVE-2026-31473

High

Published: 22 April 2026

Published
22 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31473 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31473 is a use-after-free vulnerability in the Linux kernel's media controller (mc) and Video4Linux2 (v4l2) subsystems. It arises from a race condition where the MEDIA_REQUEST_IOC_REINIT ioctl can execute concurrently with VIDIOC_REQBUFS(0) queue teardown paths, allowing request object cleanup to race against vb2 queue cancellation. This affects request-capable media devices, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-416.

A local attacker with low privileges can exploit this vulnerability by triggering the concurrent operations, potentially leading to use-after-free memory corruption. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, denial of service, or data leakage within the kernel context.

Mitigation involves applying the upstream kernel patches referenced in the stable git commits, which extend serialization using the req_queue_mutex to cover REQBUFS operations and media_request_ioctl_reinit(). These changes ensure request cleanup and queue cancellation do not run in parallel for affected devices.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead…

more

to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free (race in mc/v4l2 ioctls) directly enables exploitation for privilege escalation to achieve arbitrary code execution or DoS from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.20, 7.0 · 4.20.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of upstream kernel patches remediates the race condition between REINIT and REQBUFS operations that causes use-after-free.

prevent

Enforces memory protection mechanisms explicitly designed to protect against use-after-free memory corruption vulnerabilities like CVE-2026-31473.

detect

Vulnerability monitoring and scanning identifies the kernel race condition flaw, facilitating remediation before exploitation.

References