Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local GPU device access needed (AV:L, PR:L); a race condition makes reliable exploitation timing-dependent (AC:H); memory corruption yields full kernel CIA impact (C:H/I:H/A:H).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: Fix VM_BIND UNMAP locking
Wrong argument meant that the objs involved in UNMAP ops were not always getting locked.
Since _NO_SHARE objs share a common resv with the VM (which is always locked) this would only show up with non-_NO_SHARE BOs.
Patchwork: https://patchwork.freedesktop.org/patch/713898/
AnalysisAI
Local memory-corruption in the Linux kernel's drm/msm (Qualcomm Adreno GPU) driver stems from a VM_BIND UNMAP locking bug where a wrong argument left the GPU buffer objects involved in UNMAP operations unlocked. A low-privileged local user with GPU/render access on systems using the msm driver can trigger races that, per the 7.8 CVSS vector (AV:L/AC:L/PR:L), yield high confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution on a system running the Linux kernel's drm/msm driver on Qualcomm Adreno GPU hardware, plus access to the DRM GPU device/render node to submit VM_BIND UNMAP operations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine but locally-scoped issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with access to the GPU render node on a Qualcomm Adreno-based Linux system issues VM_BIND UNMAP operations against non-_NO_SHARE GEM buffer objects, racing the unlocked code path to corrupt GPU address-space state or leak kernel memory. Given AV:L/AC:L/PR:L, no remote access or user interaction is needed, but the attacker must already be able to run code on the device. … |
| Remediation | Patch available per vendor advisory: upgrade to a Linux stable release containing the fix - the EUVD references patched targets including 6.18.33, 7.0.10, and 7.1, with the upstream stable commits at https://git.kernel.org/stable/c/206f812ef140727b75697111391ae320fd8aa652 , https://git.kernel.org/stable/c/d9ecf758270501b2e7a0bc1dd69a6f28f1ae3cae , and https://git.kernel.org/stable/c/85042c2cd970a6b0e686329387096fe19989ae62 ; the originating change is at https://patchwork.freedesktop.org/patch/713898/ . … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory Linux systems using msm driver and identify GPU-access users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38922
GHSA-8263-r89r-w7g7