Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local DRM access by a low-privileged user (AV:L/PR:L), straightforward overflow (AC:L); out-of-bounds access yields info leak (C:H) and kernel crash (A:H) with no integrity impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
drm/komeda: fix integer overflow in AFBC framebuffer size check
The AFBC framebuffer size validation calculates the minimum required buffer size by adding the AFBC payload size to the framebuffer offset. This addition is performed without checking for integer overflow.
If the addition oveflows, the size check may incorrectly succed and allow userspace to provide an undersized drm_gem_object, potentially leading to out-of-bounds memory access.
Add usage of check_add_overflow() to safely compute the minimum required size and reject the framebuffer if an overflow is detected. This makes the AFBC size validation more robust against malformed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
AnalysisAI
Out-of-bounds memory access in the Linux kernel's Arm Mali 'komeda' DRM display driver allows a local low-privileged user to bypass AFBC framebuffer size validation via an integer overflow, supplying an undersized GEM buffer object that the driver treats as valid. Exploitation requires local access to the DRM device on hardware using the komeda driver, and there is no public exploit identified at time of analysis; EPSS probability is very low (0.16%, 6th percentile). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the DRM device node on a system actually running the drm/komeda driver (Arm Mali D71-class display hardware), plus the ability to submit an AFBC-format framebuffer via DRM ioctls - meaning the AFBC code path must be reachable for the malformed offset/size addition to overflow. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real-but-bounded local issue rather than a mass-exploitation priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with access to the DRM device on an Arm Mali komeda-based system (e.g. an embedded Linux device or development board) issues a DRM ADDFB2 ioctl with a crafted AFBC framebuffer whose offset and computed payload size wrap the unsigned addition. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 7.0.10, or 6.18.33 (or later) for the matching series, which add the check_add_overflow() guard to the AFBC size validation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory Linux systems running Arm Mali komeda driver and identify those with local user access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38936
GHSA-5pf3-f93j-64w2