Skip to main content

Linux CVE-2026-23227

HIGH
Use After Free (CWE-416)
2026-02-18 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:45 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 18, 2026 - 09:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 18, 2026 - 16:22 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free

Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem.

For example, use-after-free can occur in race scenario like this:

	CPU0				CPU1				CPU2
	----				----				----
  vidi_connection_ioctl()
    if (vidi->connection) // true
      drm_edid = drm_edid_alloc(); // alloc drm_edid
      ...
      ctx->raw_edid = drm_edid;
      ...
								drm_mode_getconnector()
								  drm_helper_probe_single_connector_modes()
								    vidi_get_modes()
								      if (ctx->raw_edid) // true
								        drm_edid_dup(ctx->raw_edid);
								          if (!drm_edid) // false
								          ...
				vidi_connection_ioctl()
				  if (vidi->connection) // false
				    drm_edid_free(ctx->raw_edid); // free drm_edid
				    ...
								          drm_edid_alloc(drm_edid->edid)
								            kmemdup(edid); // UAF!!
								            ...

To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock.

AnalysisAI

Use-after-free in Linux kernel's Exynos Virtual Display (drm/exynos vidi) driver allows local authenticated users to potentially execute arbitrary code, escalate privileges, or cause denial of service. The vulnerability stems from missing lock protection during concurrent memory allocation/deallocation operations in the vidi_context structure. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple kernel stable branches.

Technical ContextAI

The Exynos Virtual Display driver (drm/exynos/vidi) is part of the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically for Samsung Exynos SoC-based systems providing virtual display functionality. The vulnerability is a classic use-after-free (CWE-416) race condition where the raw_edid member variable in struct vidi_context can be freed by one thread (via vidi_connection_ioctl calling drm_edid_free) while simultaneously being accessed by another thread (via vidi_get_modes calling drm_edid_dup). The lack of mutex protection around these memory operations creates a time-of-check-time-of-use (TOCTOU) window. The DRM EDID (Extended Display Identification Data) structures store monitor capability information, and their improper lifecycle management enables the race. The fix introduces ctx->lock mutex protection around all vidi_context member variables involved in allocation/deallocation paths, serializing access to prevent concurrent modification.

RemediationAI

Apply vendor-supplied kernel updates containing the mutex lock protection fixes. The patches are available across multiple stable kernel branches via git.kernel.org commits (see references: 0cd2c155740d, 52b330799e2d, 60b75407c172, abfdf449fb3d, 1b24d3e8792b, 92dd1f38d7db, 56966a4cfa92, 9e1ef9396a18). For mainline kernel users, upgrade to versions incorporating these commits. For enterprise Linux distributions (RHEL, Ubuntu, SUSE), monitor distribution-specific security advisories and apply kernel updates through normal package management once available. If immediate patching is not feasible, consider disabling the Exynos vidi driver as a compensating control by blacklisting the exynos_drm_vidi kernel module (add 'blacklist exynos_drm_vidi' to /etc/modprobe.d/blacklist.conf and rebuild initramfs), though this will disable virtual display functionality and may break dependent features or applications. For embedded systems with custom kernel builds, backport the specific commits adding ctx->lock protection to vidi_connection_ioctl and vidi_get_modes functions. Note that disabling the driver eliminates attack surface but may cause functionality regression in systems relying on virtual display features for screen mirroring, testing, or headless operation scenarios.

CVE-2024-7399 HIGH POC
8.8 Aug 12

Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att

CVE-2025-4632 CRITICAL POC
9.8 May 13

Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary

CVE-2012-4333 CRITICAL POC
10.0 Aug 14

Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0

CVE-2017-16524 HIGH POC
8.8 Nov 06

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u

CVE-2015-8279 HIGH POC
8.6 Jan 15

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un

CVE-2017-17692 HIGH POC
7.5 Dec 21

Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat

CVE-2012-6429 CRITICAL POC
10.0 Apr 04

Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7

CVE-2012-4329 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart

CVE-2012-4330 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long

CVE-2012-4334 CRITICAL POC
10.0 Aug 14

The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v

CVE-2015-5473 CRITICAL
9.8 Jun 01

Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary

CVE-2012-4250 CRITICAL POC
9.3 Aug 13

Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

CVE-2026-23227 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy