Skip to main content

Linux Kernel CVE-2026-46215

| EUVDEUVD-2026-32842 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gm2j-59pp-6cxj
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:08 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm: Set old handle to NULL before prime swap in change_handle

There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.

To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.

create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.

v2: cleanups of error paths

AnalysisAI

Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.

Technical ContextAI

The vulnerability resides in the Direct Rendering Manager (DRM) subsystem of the Linux kernel, specifically in the PRIME buffer sharing path where change_handle swaps GEM (Graphics Execution Manager) handles in the IDR (ID allocator). PRIME is the cross-driver buffer sharing mechanism used by GPU drivers (i915, amdgpu, nouveau, etc.) to share DMA buffers between processes and devices via file descriptors. During the handle swap, two IDR entries transiently referenced the same underlying object; if gem_close ran concurrently it could free the object while another entry still pointed to it, producing a classic use-after-free (CWE-416 class root cause, though CWE field is N/A in NVD). The fix mirrors the established pattern from commits f6cd7daecff5 and bd46cece51a3, which idr_replace the old handle to NULL before the final close, eliminating the dangling-reference window.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.32, 7.0.9, or 7.1-rc3 or later, which incorporate fixing commits 5e28b7b9, 61bd96d3, and 672464dd available at git.kernel.org/stable/c/ (see references). Distribution users should install the next stable kernel update from their vendor and reboot. If patching must be deferred, compensating controls are limited because GEM/PRIME ioctls are the standard graphics path: restrict access to /dev/dri/card* and /dev/dri/renderD* nodes by tightening group membership (remove untrusted users from the 'video' and 'render' groups) and disallow unprivileged container workloads from mounting these device nodes - the side effect is loss of hardware-accelerated rendering for affected users and containers. On headless servers with no graphics workload, blacklisting unused DRM drivers (e.g., via /etc/modprobe.d) removes the attack surface entirely with no functional cost.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy