CVE-2026-46209: Linux DRM Framebuffer Memory Corruption Vulnerability
A calculation error in the Linux kernel's graphics subsystem can cause memory protection checks to fail for certain image formats and dimensions. When the GPU driver prepares framebuffers for display, it validates that allocated memory is large enough. However, a mismatch in how dimensions are rounded between two validation functions can cause this check to incorrectly pass for very small images—specifically those 1 pixel tall with formats like NV12. This allows the GPU to access memory outside its allocated buffer, potentially enabling data theft or system compromise from unprivileged user processes.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46209 is a buffer boundary validation bypass in the DRM (Direct Rendering Manager) subsystem. The vulnerability stems from inconsistent dimension calculations in drm_gem_fb_init_with_funcs(). This function uses truncating integer division when computing subsampled plane heights and widths, while the ioctl-level framebuffer_check() function uses DIV_ROUND_UP() to round dimensions up. For formats with vertical subsampling (vsub > 1), such as NV12, a 1-pixel-tall framebuffer incorrectly computes height as 0 in the GEM object size check. The subsequent expression (height - 1) underflows to UINT_MAX, causing integer overflow in min_size calculation. This results in a falsely small required size, permitting undersized GEM object allocation. When GPU hardware accesses the chroma plane, it performs out-of-bounds memory operations. The fix aligns both code paths by using drm_format_info_plane_width() and drm_format_info_plane_height() helper functions that consistently apply rounding.
Business impact
This vulnerability allows a local, unprivileged user to trigger out-of-bounds memory access via GPU operations. Exploitation enables read and write access to kernel memory beyond framebuffer bounds, potentially leading to privilege escalation, information disclosure, or denial of service. Systems relying on GPU virtualization or container isolation may be particularly at risk if user-facing GPU access is permitted. The impact is confined to local attack surface but carries high severity due to the combination of memory corruption and privileged execution context.
Affected systems
All Linux kernel versions containing the affected drm_gem_fb_init_with_funcs() function are potentially vulnerable. Verify the exact kernel versions from the official Linux kernel security advisory. The vulnerability affects any system running an unpatched kernel with graphics drivers using the DRM subsystem—this includes most desktop Linux distributions, embedded systems with GPU hardware, and cloud instances with GPU acceleration enabled.
Exploitability
Exploitation requires local system access and the ability to perform framebuffer operations, typically available to unprivileged users with GPU device access. No network attack vector exists. The vulnerability is triggered by crafting a framebuffer with specific dimension and format combinations (e.g., NV12 with 1-pixel height) that reliably trigger the integer underflow. Proof-of-concept development is feasible but requires graphics subsystem expertise. The CVSS score of 7.8 reflects local attack surface (AV:L), but the absence of special privileges (PR:L) and the direct path to memory corruption (C:H, I:H, A:H) elevate severity.
Remediation
Patch the Linux kernel to a version containing the fix that unifies plane dimension calculations. Ensure drm_gem_fb_init_with_funcs() uses the same DIV_ROUND_UP() rounding as framebuffer_check(). Verify the patched kernel version against the official Linux kernel advisories. Compile and deploy the patched kernel following your organization's standard kernel update procedures.
Patch guidance
Obtain the patched kernel from your distribution's security update channels or directly from kernel.org. Verify patches are signed and authentic. For distributions: Ubuntu, Fedora, Debian, and RHEL will release kernel updates through their security advisories—check your vendor's CVE database for specific version numbers. Apply patches during scheduled maintenance to minimize GPU service interruptions. Recompile kernel modules if necessary and test GPU functionality post-deployment.
Detection guidance
System logs may not directly indicate exploitation, but monitor for: (1) GPU error messages or driver crashes following framebuffer operations; (2) unexpected memory access violations in dmesg related to DRM; (3) userspace GPU applications receiving out-of-bounds memory access errors. Kernel Address Sanitizer (KASAN) builds will flag the underflow and out-of-bounds access. Network-based detection is not feasible; focus on host-level kernel monitoring and GPU driver state inspection.
Why prioritize this
Prioritize patching systems where unprivileged users have GPU device access or where containers/VMs expose GPU to tenants. Standalone workstations without GPU or systems where GPU access is restricted to privileged users face lower immediate risk. However, given the HIGH CVSS score and potential for privilege escalation, this should be scheduled urgently within standard patching cycles (days to weeks, not months).
Risk score, explained
The CVSS 3.1 score of 7.8 reflects: (1) Local attack vector only (AV:L), limiting exposure but not eliminating concern; (2) Low complexity attack requiring specific dimension/format combinations but no special tools; (3) Low privileges required—unprivileged user access to GPU is typical on Linux workstations and multi-tenant systems; (4) High impact across confidentiality, integrity, and availability due to unrestricted memory read/write and kernel crash potential. The vulnerability is not in the CISA KEV catalog, indicating no confirmed active exploitation in the wild at publication, but the attack surface remains significant in GPU-enabled environments.
Frequently asked questions
Does this affect systems without GPU hardware or with GPU access restricted to root?
Systems without GPUs are unaffected by this specific vulnerability. Systems where GPU device access is restricted to root or privileged users face significantly lower risk, though an unprivileged user gaining temporary GPU access (e.g., via misconfiguration) could still exploit it. Review GPU device permissions (/dev/dri/*) to confirm access controls.
Can this be exploited over the network?
No. This vulnerability requires local system access and direct interaction with GPU framebuffer operations. Network-based exploitation is not possible. However, cloud instances offering GPU acceleration to tenants should prioritize patching.
What happens if I continue running an unpatched kernel?
Unpatched systems remain vulnerable to local privilege escalation and information disclosure attacks from any user with GPU device access. An attacker could craft malicious framebuffer operations to leak sensitive kernel data or escalate privileges. The risk increases proportionally with the number of untrusted users on the system.
Are all Linux distributions affected equally?
All distributions using the vulnerable Linux kernel code are affected. However, exposure depends on GPU availability and device permissions. Server distributions without GPU hardware face no risk. Desktop and embedded distributions with GPU support should prioritize patching. Check your distribution's security advisory for specific kernel versions and patch availability.
This analysis is provided for informational purposes to support vulnerability management decision-making. It does not constitute legal or professional security advice. Organizations must independently verify all patch versions, affected product lists, and remediation steps against official vendor advisories before deployment. Exploit code or weaponized proof-of-concept details are not provided here. Security teams should conduct internal testing and risk assessment aligned with their specific infrastructure, business context, and risk tolerance. SEC.co and this analysis bear no liability for deployment outcomes or damages resulting from patch application or non-application. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-46123HIGHLinux Kernel Virtio Bluetooth Memory Disclosure Vulnerability
- CVE-2026-46136HIGHLinux MT7921 Wi-Fi Driver Buffer Underflow – Patching Guide
- CVE-2026-46145HIGHLinux Kernel RDMA/mana Buffer Overflow – Local Privilege Escalation
- CVE-2026-46173HIGHLinux Kernel Task Exit Scheduler Vulnerability (CVSS 7.8)