Skip to main content

Linux Kernel EUVDEUVD-2026-39236

| CVE-2026-53145 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x237-c35r-5vq5
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local DRM-device access needed (AV:L, PR:L); it is a tight timing race so AC:H; a winning UAF can corrupt kernel memory giving full C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:14 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/gem: Try to fix change_handle ioctl, attempt 4

[airlied: just added some comments on how to reenable] On-list because the cat is out of the bag and we're clearly not good enough to figure this out in private. The story thus far:

5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle") tried to fix a race condition between the gem_close and gem_change_handle ioctls, but got a few things wrong:

  • There's a confusion with the local variable handle, which is actually

the new handle, and so the two-stage trick was actually applied to the wrong idr slot. 7164d78559b0 ("drm/gem: fix race between change_handle and handle_delete") tried to fix that by adding yet another code block, but forgot to add the error handling. Which meant we now have two paths, both kinda wrong.

  • dc366607c41c ("drm: Replace old pointer to new idr") tried to apply

another fix, but inconsistently, again because of the handle confusion

  • this would be the right fix (kinda, somewhat, it's a mess) if we'd

do the two-stage approach for the new handle. Except that wasn't the intent of the original fix.

We also didn't have an igt merged for the original ioctl, which is a big no-go. This was attempted to address off-list in the original bugfix, and amd QA people claimed the bug was fixed now. Very clearly that's not the case. Here's my attempt to sort this out:

  • Rename the local variable to new_handle, the old aliasing with

args->handle is just too dangerously confusing.

  • Merge the gem obj lookup with the two-stage idr_replace so that we

avoid getting ourselves confused there.

  • This means we don't have a surplus temporary reference anymore, only

an inherited from the idr. A concurrent gem_close on the new_handle could steal that. Fix that with the same two-stage approach create_tail uses. This is a bit overkill as documented in the comment, but I also don't trust my ability to understand this all correctly, so go with the established pattern we have from other ioctls instead for maximum paranoia.

  • Adjust error paths. I've tried to make the error and success paths

common, because they are identical except for which handle is removed and on which we call idr_replace to (re)install the object again. But that made things messier to read, so I've left it at the more verbose version, which unfortunately hides the symmetry in the entire code flow a bit.

  • While at it, also replace the 7 space indent with 1 tab.

And finally, because I flat out don't trust my abilities here at all anymore:

  • Disable the ioctl until we have the igt situation and everything else

sorted out on-list and with full consensus.

v2:

Sashiko noticed that I didn't handle the error path for idr_replace correctly, it must be checked with IS_ERR_OR_NULL like in gem_handle_delete. So yeah, definitely should just the existing paths 1:1 because this is endless amounts of tricky.

Also add the Fixes: line for the original ioctl, I forgot that too.

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel DRM/GEM subsystem stems from a race condition in the GEM change_handle ioctl when it runs concurrently with gem_close, where botched two-stage idr_replace handling against the wrong idr slot allows a concurrent close to steal the object's only inherited reference. The flaw affects systems using the DRM graphics stack (notably AMD GPU paths, per source tags) and an unprivileged local user with access to a DRM render/card device can trigger a use-after-free, with the upstream resolution disabling the change_handle ioctl entirely until the locking can be proven correct. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to DRM device node
Delivery
Spawn racing change_handle and gem_close threads
Exploit
Win IDR reference-stealing race window
Execution
Trigger use-after-free on GEM object
Persist
Corrupt kernel memory or leak data
Impact
Escalate privileges or disclose info

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a DRM device node (/dev/dri/card* or renderD*) on a kernel built with the DRM/GEM stack (the AMD GPU driver path is specifically implicated by source tags), plus the ability to issue ioctls concurrently from multiple threads to win the race between GEM change_handle and gem_close. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score is 7.8 High (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating local, low-privilege, no-interaction access with full confidentiality, integrity and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged local user (or a compromised, sandboxed process that has been granted access to a DRM render node) repeatedly invokes the GEM change_handle ioctl on one thread while racing gem_close on the new handle in another thread, aiming to win the timing window where the object's only IDR-inherited reference is stolen. Hitting the race frees the GEM object while a stale reference remains, yielding a use-after-free that can be groomed for information disclosure or memory corruption and potentially privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel build - 6.18.36 or later on the 6.18.x branch, and 7.0.13 or later on the 7.0.x branch, which incorporate the corrected change_handle handling and disable the ioctl pending IGT test coverage. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Linux systems with AMD GPU drivers and DRM graphics subsystem enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-0240 CRITICAL POC
10.0 Feb 24

The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1

CVE-2016-6662 CRITICAL POC
9.8 Sep 20

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.2

CVE-2025-32463 CRITICAL POC
9.3 Jun 30

Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot opti

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2017-3068 HIGH POC
8.8 May 09

Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable memory corruption vulnerability in the Advanced V

CVE-2013-4124 MEDIUM POC
5.0 Aug 06

Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.

CVE-2015-4024 MEDIUM POC
5.0 Jun 09

Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.

CVE-2017-3106 HIGH POC
8.8 Aug 11

Adobe Flash Player versions 26.0.0.137 and earlier have an exploitable type confusion vulnerability when parsing SWF fil

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2014-3560 HIGH
7.9 Aug 06

NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to exec

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

Share

EUVD-2026-39236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy