Skip to main content

Linux Kernel EUVDEUVD-2026-34109

| CVE-2026-46247 MEDIUM
2026-06-03 Linux GHSA-cj3j-7wwr-65rm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 20:38 vuln.today
CVSS changed
Jun 09, 2026 - 20:37 NVD
5.5 (MEDIUM)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:49 nvd
MEDIUM 5.5
CVE Published
Jun 03, 2026 - 15:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

clk: qcom: gfx3d: add parent to parent request map

After commit d228ece36345 ("clk: divider: remove round_rate() in favor of determine_rate()") determining GFX3D clock rate crashes, because the passed parent map doesn't provide the expected best_parent_hw clock (with the roundd_rate path before the offending commit the best_parent_hw was ignored).

Set the field in parent_req in addition to setting it in the req, fixing the crash.

clk_hw_round_rate (drivers/clk/clk.c:1764) (P) clk_divider_bestdiv (drivers/clk/clk-divider.c:336) divider_determine_rate (drivers/clk/clk-divider.c:358) clk_alpha_pll_postdiv_determine_rate (drivers/clk/qcom/clk-alpha-pll.c:1275) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) __clk_determine_rate (drivers/clk/clk.c:1741) clk_gfx3d_determine_rate (drivers/clk/qcom/clk-rcg2.c:1268) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) clk_core_round_rate_nolock (drivers/clk/clk.c:1710) clk_round_rate (drivers/clk/clk.c:1804) dev_pm_opp_set_rate (drivers/opp/core.c:1440 (discriminator 1)) msm_devfreq_target (drivers/gpu/drm/msm/msm_gpu_devfreq.c:51) devfreq_set_target (drivers/devfreq/devfreq.c:360) devfreq_update_target (drivers/devfreq/devfreq.c:426) devfreq_monitor (drivers/devfreq/devfreq.c:458) process_one_work (arch/arm64/include/asm/jump_label.h:36 include/trace/events/workqueue.h:110 kernel/workqueue.c:3284) worker_thread (kernel/workqueue.c:3356 (discriminator 2) kernel/workqueue.c:3443 (discriminator 2)) kthread (kernel/kthread.c:467) ret_from_fork (arch/arm64/kernel/entry.S:861)

AnalysisAI

Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.

Technical ContextAI

The vulnerability resides in drivers/clk/qcom/clk-rcg2.c within the clk_gfx3d_determine_rate() function of the Qualcomm clock subsystem for ARM64 Linux. The upstream refactor in commit d228ece36345 replaced the round_rate() path with determine_rate() across the clock divider framework. Under the old round_rate path, best_parent_hw was implicitly ignored; under determine_rate(), the clock framework actively dereferences the best_parent_hw pointer populated in parent_req during parent resolution (clk_alpha_pll_postdiv_determine_rate → clk_hw_round_rate). The fix requires setting the best_parent_hw field in parent_req in addition to setting it in req. The full call chain at crash time flows through devfreq_monitor → msm_devfreq_target → dev_pm_opp_set_rate → clk_round_rate → clk_gfx3d_determine_rate → clk_core_round_rate_nolock → clk_hw_round_rate, all on Qualcomm MSM GPU devfreq paths. CPE data identifies the affected component as cpe:2.3:a:linux:linux. The regression was introduced at commit 55213e1acec9218580c90d36034aa0370a51daab and affects all downstream stable branches up to the respective fix points.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched stable release: 6.1.165 or later, 6.6.128 or later, 6.12.75 or later, 6.18.14 or later, 6.19.4 or later, or 7.0 or later, as appropriate for the deployed branch. Upstream fix commits are available at the six kernel.org stable references listed in affected_products for operators maintaining custom or vendor kernel trees. For systems where a full kernel upgrade is not immediately feasible, a compensating control is to disable GPU devfreq (dynamic frequency scaling) for the GFX3D clock domain by setting the devfreq governor to a fixed performance state or blacklisting the msm_devfreq driver - this prevents the devfreq_monitor path from triggering the vulnerable clk_gfx3d_determine_rate code. Trade-off: disabling devfreq increases GPU power consumption and thermal output, which may be significant on battery-powered or thermally-constrained devices. No vendor-issued security advisory beyond the upstream stable tree commits has been identified at time of analysis.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-34109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy