Skip to main content

Linux Kernel CVE-2026-46065

| EUVDEUVD-2026-32447 HIGH
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w279-mj9j-w893
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:43 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info

Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal.

Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state.

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Technical ContextAI

The vulnerability resides in the Linux kernel's framebuffer device (fbdev) deferred I/O subsystem (drivers/video/fbdev/core/fb_defio.c), which provides a mechanism for tracking dirty pages in framebuffer memory mappings used by drivers that cannot directly DMA from main memory. The deferred I/O state was previously embedded within struct fb_info, meaning its lifetime was tied to that structure. When a graphics device is hot-unplugged, the kernel frees struct fb_info while user space may still hold an active mmap() of the graphics memory, creating a use-after-free condition where subsequent memory accesses operate on freed kernel state. The fix introduces a separate struct fb_deferred_io_state that is reference-counted independently and persists until the final mapping is closed, with info pointer invalidation triggering SIGBUS on subsequent access. This is consistent with CWE-416 (Use After Free) class of memory safety bugs, though no CWE was explicitly assigned.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.140, 6.12.88, 6.18.30, 7.0.4, or 7.1-rc1 and later, depending on your stable branch, with patch commits available at https://git.kernel.org/stable/c/25c2b77bc463f29ee71a54b883548baf9386a0db, https://git.kernel.org/stable/c/2a40f8bc9bb713329f1c35ffc199ee961a7135b0, https://git.kernel.org/stable/c/2b53d3a52e8e5403a4f4fb57ac6cad3fd2cb1066, https://git.kernel.org/stable/c/9ded47ad003f09a94b6a710b5c47f4aa5ceb7429, and https://git.kernel.org/stable/c/a0aafb421dd15e935d81543152617f2742cefa70. Apply distribution-supplied kernel updates as they become available from Red Hat, SUSE, Ubuntu, Debian, and other vendors. As a compensating control where patching is delayed, restrict access to framebuffer device nodes (/dev/fb*) via udev rules or group permissions so only trusted users in the video group can open and mmap them, accepting the trade-off that legitimate graphical applications running as that user will need that access. Where the system has no hot-pluggable graphics hardware (e.g., USB display adapters, DisplayLink devices), the practical exposure is minimal and standard patch scheduling suffices.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy