Skip to main content

Linux Kernel CVE-2026-46312

| EUVDEUVD-2026-35122 MEDIUM
2026-06-08 Linux GHSA-fc4p-mq27-m6p2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local trigger requiring low-privilege mmap() call; no confidentiality or integrity impact; availability impact from kernel WARN_ON and pipeline destabilization.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 15:48 vuln.today
CVSS changed
Jul 08, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:50 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

media: videobuf2: Set vma_flags in vb2_dma_sg_mmap

vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not see a reason why vb2_dma_sg should behave differently. This avoids hitting WARN_ON(!(vma->vm_flags & VM_DONTEXPAND)); in drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of tree Apple ISP camera capture driver which uses vb2_dma_sg_memops.

gst-launch-1.0 v4l2src ! gtk4paintablesink

[ 38.201528] ------------[ cut here ]------------ [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210 [ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device uinput nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2 snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3 snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon apple_sart apple_dockchannel macsmc apple_rtkit_helper spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core spi_apple [ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full) [ 38.219040] Tainted: [W]=WARN [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210 [ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210 [ 38.222178] sp : ffffc0008dc678e0 [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480 [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968 [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0 [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968 [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8 [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8 [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000 [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038 [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb [ 38.231488] Call trace: [ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P) [ 38.232342] drm_gem_mmap+0x140/0x260 [ 38.232813] __mmap_region+0x488/0x9a0 [ 38.233277] mmap_region+0xd0/0x148 [ 38.233703] do_mmap+0x350/0x5c0 [ 38.234148] vm_mmap_pgoff+0x14c/0x200 [ 38.234612] ksys_mmap_pgoff+0x150/0x208 [ 38.235107] __arm64_sys_mmap+0x34/0x50 [ 38.235611] invoke_syscall+0x50/0x120 [ 38.236075] el0_svc_common.constprop.0+0x48/0xf0 [ 38.236680] do_el0_svc+0x24/0x38 [ 38.237113] el0_svc+0x38/0x168 [ 38.237507] el0t_64_sync_handler+0xa0/0xe8 [ 38.238034] el0t_64_sync+0x198/0x1a0 [ 38.238491] ---[ end trace 0000000000000000 ]---

There were discussions in [1] at the end of 2023 that mmap() on imported ---truncated---

AnalysisAI

Kernel warning (WARN_ON) triggerable in the Linux videobuf2 DMA scatter-gather subsystem on Apple Silicon systems allows a low-privileged local user to destabilize video capture pipelines by performing mmap() on an imported DMA-buf. The vb2_dma_sg_mmap function fails to set VM_DONTEXPAND and VM_DONTDUMP VMA flags - protections that vb2_dma_contig correctly applies - causing drm_gem_mmap_obj() to hit its assertion guard. No public exploit has been identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with the narrow hardware-specific trigger surface.

Technical ContextAI

The vulnerability resides in the Linux kernel videobuf2 (vb2) framework's DMA scatter-gather backend (drivers/media/common/videobuf2/videobuf2-dma-sg.c). When a V4L2 DMA-buf exported via vb2_dma_sg_mmap is imported into the DRM/GEM subsystem, drm_gem_mmap_obj() asserts WARN_ON(!(vma->vm_flags & VM_DONTEXPAND)) at drivers/gpu/drm/drm_gem.c:1144. This assertion exists because VM_DONTEXPAND prevents mremap() from illegally expanding a hardware-backed DMA mapping, and VM_DONTDUMP prevents DMA buffer contents (here, raw camera frame data from the Apple ISP) from being captured in process core dumps - the latter supporting the 'Information Disclosure' tag in the intelligence data. The parallel vb2_dma_contig implementation correctly sets both flags; vb2_dma_sg omits them. Affected CPE: cpe:2.3:a:linux:linux:* from kernel 2.6.39 onward. No CWE is assigned; the root cause class is an implementation inconsistency (missing protective flag propagation) rather than a memory safety flaw.

RemediationAI

Update the Linux kernel to a patched release: 6.6.140 (longterm branch), 6.12.90, 6.18.32, or 7.0.9 depending on the deployed stable series; 7.1-rc1 includes the fix for development environments. Upstream stable fix commits are at https://git.kernel.org/stable/c/feb17524aa4ec337749344be0db52b88663e25ab, https://git.kernel.org/stable/c/1a1360264f699521e001e7739009ee3ee3c6a4f5, https://git.kernel.org/stable/c/21fade52ab9fb13368a5709e60b0d9909197aeae, https://git.kernel.org/stable/c/b4cf91658a636618f1437beec971dec25dec28eb, and https://git.kernel.org/stable/c/7254b31a13aaa0c2c0f9ffbc335b718656117ff4. If patching is not immediately feasible on Asahi Linux systems, blacklisting the apple_isp module (echo 'blacklist apple_isp' >> /etc/modprobe.d/apple_isp.conf) eliminates the trigger entirely but disables the built-in camera. Alternatively, avoiding DMA-buf-importing V4L2 pipelines (e.g., gst-launch-1.0 v4l2src ! gtk4paintablesink) prevents the WARN_ON from firing without disabling the camera subsystem. Note that the WARN_ON is non-fatal by default - the kernel continues operating but logs a taint warning; the primary urgency is camera pipeline reliability and the secondary VM_DONTDUMP information disclosure risk.

Share

CVE-2026-46312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy