Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Fix global performance monitor reference counting
In the SET_GLOBAL ioctl, v3d_perfmon_find() bumps the reference count on the perfmon it returns, but v3d_perfmon_set_global_ioctl() and v3d_perfmon_delete() fail to release that reference on several paths:
- v3d_perfmon_set_global_ioctl() leaks the reference on its error
paths.
- CLEAR_GLOBAL leaks both the find reference and the reference
previously stashed in v3d->global_perfmon by the SET_GLOBAL ioctl that configured it.
- Destroying a perfmon that is the current global perfmon leaks the
reference stashed by the SET_GLOBAL ioctl.
Release each of these references explicitly.
AnalysisAI
Reference counting leaks in the Linux kernel's drm/v3d driver allow a local user to exhaust kernel memory and trigger a denial-of-service condition on systems equipped with Broadcom VideoCore VI GPUs (e.g., Raspberry Pi 4/5). The flaw exists across three code paths in the SET_GLOBAL and CLEAR_GLOBAL perfmon ioctls, as well as in the perfmon destroy path, each of which fails to release references acquired by v3d_perfmon_find(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39232
GHSA-j22c-2h2q-55pv