Skip to main content

Linux CVE-2026-23317

| EUVDEUVD-2026-15264 HIGH
Use of Uninitialized Resource (CWE-908)
2026-03-25 Linux GHSA-x2vc-23cg-h9h7
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 23, 2026 - 21:27 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15264
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter.

The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could cause the vmw_translate_ptr functions to return success when they actually failed causing further uninitialized and OOB accesses.

AnalysisAI

A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver.

Technical ContextAI

The vulnerability exists in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically in the vmwgfx driver which provides graphics support for VMware virtual machines (affected CPE: cpe:2.3:a:linux:linux). The root cause is a refactoring error in pointer translation functions where a previous lookup function returning a direct pointer was replaced with one returning an error code and using an out parameter for the pointer. However, the error path checking logic was not properly updated to reflect this change—the code continued to call PTR_ERR() on an uninitialized output parameter rather than checking the returned error code directly. This represents a type of API usage error where the caller's assumptions about function behavior diverged from the actual implementation, falling under improper error handling and uninitialized variable usage patterns.

RemediationAI

Update the Linux kernel to a patched version containing one of the fix commits (ce3a5cf139787c186d5d54336107298cacaad2b9 or its backports) available at https://git.kernel.org/stable/. Most Linux distributions will release patched kernel versions through their standard update channels; users should apply the latest kernel updates from their distribution's security advisories. If immediate patching is not possible, disable the vmwgfx driver if not required by modifying the kernel command line or blacklisting the module. For systems that require VMware graphics support, prioritize kernel patching as soon as stable updates are available from your distribution, as workarounds are limited given the kernel-level nature of the vulnerability.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy