{"id":"CVE-2026-31585","summary":"media: vidtv: fix nfeeds state corruption on start_streaming failure","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds \u003e 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb-\u003estreaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n  vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n  vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n  vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n  vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n  vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n  vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239","modified":"2026-06-18T03:55:25.228899401Z","published":"2026-04-24T14:42:14.266Z","related":["CGA-347c-738q-g22r","openSUSE-SU-2026:10703-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31585.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83"},{"type":"WEB","url":"https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60f768d46df561e06d92ffcacc00909f37a0f23d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/80900b5424f3454256153ce386388df43b324f63"},{"type":"WEB","url":"https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f8cccb427e65d725fc0ba05e8900b4676eda268e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31585.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31585"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f90cf6079bf67988f8b1ad1ade70fc89d0080905"},{"fixed":"f8cccb427e65d725fc0ba05e8900b4676eda268e"},{"fixed":"60f768d46df561e06d92ffcacc00909f37a0f23d"},{"fixed":"80900b5424f3454256153ce386388df43b324f63"},{"fixed":"17cb7957c979529cc98ff57f7ac331532f1f7c83"},{"fixed":"98c22210aeadce67d9d20059f0dbbd01ba7fdbba"},{"fixed":"25f19e476ab15defe698504212899fdb9f7cd61b"},{"fixed":"83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd"},{"fixed":"4bf95f797edd63c93330eafb6d6e670982344b9b"},{"fixed":"a0e5a598fe9a4612b852406b51153b881592aede"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31585.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.10.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31585.json"}}],"schema_version":"1.7.5"}