Skip to main content

Linux Kernel EUVDEUVD-2026-31272

| CVE-2026-43498 HIGH
Out-of-bounds Write (CWE-787)
2026-05-21 Linux GHSA-p8xq-f97w-qv9j
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 13:29 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 21, 2026 - 13:01 EUVD
CVE Published
May 21, 2026 - 12:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 21, 2026 - 12:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/ivpu: Disallow re-exporting imported GEM objects

Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.

Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.

AnalysisAI

Local privilege-level data corruption in the Linux kernel's accel/ivpu driver (Intel VPU accelerator) allows authenticated local users to trigger incorrect device access and memory corruption by re-exporting imported GEM (Graphics Execution Manager) buffer objects via the DMA-BUF prime interface. The flaw stems from the missing validation that allowed buffer flag settings to be lost on re-export, and while CVSS rates it 7.8 High due to local high-impact effects, EPSS is only 0.02% and no public exploit identified at time of analysis.

Technical ContextAI

The accel/ivpu driver provides kernel-side support for Intel's Versatile Processing Unit (VPU) AI accelerator, exposed through the DRM/accel subsystem. GEM (Graphics Execution Manager) objects can be shared between drivers via the DMA-BUF prime_handle_to_fd interface, which converts a GEM handle to a file descriptor usable in other processes or drivers. The vulnerability is rooted in the absence of a check ensuring that buffers imported from another driver are not re-exported through ivpu - when re-exported, the buffer's cache/coherency/access flags are not preserved, producing inconsistent device views of memory. The fix adds a custom prime_handle_to_fd callback that returns -EOPNOTSUPP if the underlying GEM object was imported. No CWE was assigned, but the bug class aligns with CWE-1284 (improper validation of specified quantity in input) or memory integrity loss through improper resource transfer.

RemediationAI

Vendor-released patch: Linux stable 7.0.7 and mainline 7.1-rc3, corresponding to upstream commits https://git.kernel.org/stable/c/7dd57d7a6350770dfc283287125c409e995200e0 and https://git.kernel.org/stable/c/3756043dd695bba34cc728cdc5688dcb49ac8043; upgrade to a distribution kernel that incorporates these commits. If patching must be deferred, restrict access to the ivpu DRM/accel device node by tightening the owning group (typically 'render') to trusted users only and avoid running untrusted workloads that perform DMA-BUF import/export against the VPU - note the trade-off is loss of VPU acceleration for non-trusted users and possible breakage of any legitimate cross-driver buffer-sharing workflows. Where the Intel VPU accelerator is unused, unloading or blacklisting the intel_vpu (ivpu) kernel module fully eliminates exposure at the cost of disabling VPU functionality. Refer to https://nvd.nist.gov/vuln/detail/CVE-2026-43498 for advisory tracking.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-31272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy