Skip to main content

Linux Kernel CVE-2026-46209

| EUVDEUVD-2026-32836 HIGH
Out-of-bounds Write (CWE-787)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-f8g6-g8cv-582v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:07 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()

drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:

unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1);

However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.

For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.

Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().

AnalysisAI

Local privilege escalation potential exists in the Linux kernel's DRM/GEM framebuffer subsystem (drm_gem_fb_init_with_funcs) where inconsistent plane dimension calculations between integer division and DIV_ROUND_UP cause a size-check bypass. A local low-privileged user able to invoke the framebuffer ioctl with specific pixel formats (e.g., NV12) and crafted dimensions can trigger an out-of-bounds GPU memory access on the chroma plane, leading to memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term exploitation risk despite the 7.8 CVSS.

Technical ContextAI

The flaw lives in the Direct Rendering Manager (DRM) GEM (Graphics Execution Manager) framebuffer initialization helper used by Linux kernel graphics drivers. The function drm_gem_fb_init_with_funcs() computed sub-sampled chroma plane dimensions for multi-planar pixel formats using plain integer division (width/hsub, height/vsub), while the ioctl-level framebuffer_check() validated using drm_format_info_plane_width/height() which rely on DIV_ROUND_UP(). The mismatch matters for formats like NV12 with vertical subsampling factor 2: a 1-pixel-tall frame yields height=0 in the GEM path, and the subsequent (height - 1) expression underflows the unsigned int to UINT_MAX, wrapping min_size back to a small value. This effectively defeats the GEM object size guard, producing a classic integer-underflow-leading-to-out-of-bounds-access pattern (CWE-191/CWE-787 family). No CWE was assigned by NVD at time of analysis.

RemediationAI

Vendor-released patches are available - upgrade to Linux kernel 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc2 (or any later release in the same series) which include the fix replacing the open-coded divisions with drm_format_info_plane_width()/drm_format_info_plane_height(). Distribution users should track their vendor's kernel security update channel (Red Hat, SUSE, Ubuntu, Debian, Oracle) and apply the backported fix as it lands; the upstream commits are available at https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d and the sibling commits listed in EUVD-2026-32836. If immediate patching is not feasible, restrict access to DRM render and card device nodes (/dev/dri/card* and /dev/dri/renderD*) by tightening group membership (typically 'video' or 'render') and avoid granting untrusted local users or unprivileged containers passthrough to GPU devices; the trade-off is loss of hardware-accelerated graphics for those users or workloads. For multi-tenant or container hosts, consider seccomp/LSM policies that block the DRM_IOCTL_MODE_ADDFB2 ioctl path until patched, accepting that this breaks legitimate compositor and Wayland/X server functionality.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy