Skip to main content

Linux Kernel EUVDEUVD-2026-32838

| CVE-2026-46211 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6wcw-jhw2-v4p6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 19:27 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()

msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.

Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.

Add the missing NULL check for kmemdup() and return ret instead of 0.

Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.

Patchwork: https://patchwork.freedesktop.org/patch/714478/

AnalysisAI

NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.

Technical ContextAI

The vulnerability resides in the Direct Rendering Manager (DRM) subsystem of the Linux kernel, specifically within the Qualcomm MSM (Mobile Station Modem) GPU driver's GEM (Graphics Execution Manager) object management layer. The msm_ioctl_gem_info_get_metadata() function processes metadata retrieval requests submitted via ioctl from userspace. Two distinct defects exist: first, the function ignores non-zero return values from copy_to_user() and returns 0 unconditionally, deceiving userspace into treating failed ioctls as successful; second, the return value of kmemdup() - which duplicates kernel memory - is never validated for NULL, and a NULL pointer is passed directly into copy_to_user() when allocation fails under memory pressure. CWE-476 (NULL Pointer Dereference) is the primary root cause classification. The companion function msm_ioctl_gem_info_set_metadata correctly returns ret, confirming this is an oversight in only the GET path. The vulnerable code was introduced in commit 9902cb999e4e913d98e8afe4b36c08e4a793e1ce, corresponding to Linux 6.8, and affects the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version: 6.12.90, 6.18.32, 7.0.9, or 7.1-rc1 or later stable releases, which incorporate the upstream fix commits available at https://git.kernel.org/stable/c/47cbfe2608314b833ad61a65827d8fb363bc2d2d and the three companion stable-branch patches. Distribution-specific kernel updates from vendors such as Red Hat, Ubuntu, SUSE, and Debian should be monitored for backported fixes, as their patch timelines are not confirmed in the available reference data. As a compensating control where immediate patching is not feasible, restrict access to Qualcomm DRM render nodes (/dev/dri/renderD*) by tightening filesystem permissions or enforcing cgroup device access policies to prevent untrusted local users from invoking the vulnerable ioctl path - note that this trade-off will break GPU-accelerated applications for affected users. Alternatively, blacklisting the msm kernel module (if the hardware is not in active use) eliminates the attack surface entirely but disables all Qualcomm GPU functionality.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32838 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy