MEDIUM 5.5

CVE-2026-46211: Linux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata

A flaw in the Linux kernel's graphics driver (msm/gem) causes an ioctl function to report success even when it fails. When userspace attempts to retrieve metadata about graphics objects, the function incorrectly returns 0 (success) even if the underlying operations—such as copying data to userspace or allocating memory—actually fail. Additionally, if memory allocation fails, the code does not check for a NULL pointer, leading to a crash. This allows applications to think they've successfully retrieved metadata when they haven't, or to trigger a denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call. Add the missing NULL check for kmemdup() and return ret instead of 0. Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret. Patchwork: https://patchwork.freedesktop.org/patch/714478/

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The msm_ioctl_gem_info_get_metadata() function in the MSM DRM subsystem has two distinct error-handling defects. First, the function unconditionally returns 0 regardless of the value stored in the ret variable, which means errors from copy_to_user() (e.g., invalid buffer address, insufficient buffer size) are silently discarded. Second, kmemdup() is called without checking for NULL return on allocation failure; a subsequent copy_to_user() call on a NULL pointer triggers a NULL pointer dereference. The analogous SET metadata function correctly returns ret, highlighting that this GET function's behavior is inconsistent and unintentional. The fix involves adding a NULL check after kmemdup() and returning ret instead of hardcoded 0.

Business impact

For system administrators and application developers, this vulnerability means that userspace graphics applications may fail to detect when ioctl requests have actually failed, leading to silent data loss, corrupted application state, or assumption of invalid metadata. In memory-constrained environments or under high system load, the NULL pointer dereference can trigger a kernel panic affecting all users on that system. While the vulnerability requires local access and unprivileged userspace involvement, it degrades system reliability and complicates debugging of graphics-related failures.

Affected systems

The Linux kernel is affected. The vulnerability resides in the DRM (Direct Rendering Manager) subsystem's MSM (Qualcomm Adreno) GPU driver, specifically in the gem (Graphics Execution Manager) module. Any Linux distribution shipping an affected kernel version will include the vulnerable code. Systems running recent kernels with the MSM DRM driver compiled in are at risk. Server and desktop deployments with integrated or discrete Qualcomm Adreno GPUs are in scope.

Exploitability

Exploitation requires local code execution privilege (PR:L in CVSS) and no user interaction. An unprivileged local process can invoke the vulnerable ioctl and either trigger the NULL pointer dereference for a kernel panic, or exploit the silent error return to manipulate application behavior. The flaw is straightforward to trigger: calling the ioctl with a small or invalid buffer reliably reproduces the error-handling failure. No special kernel features, race conditions, or timing are required. However, the impact is localized to denial of service and denial of service only; remote exploitation and privilege escalation are not possible via this vector.

Remediation

Apply a kernel patch that adds a NULL pointer check after the kmemdup() call and modifies the function to return ret instead of 0. This is a minimal, localized fix that brings the GET metadata function in line with the SET metadata function's correct behavior. Affected distributions should backport the fix to all supported kernel versions that include the MSM DRM driver. End users should update their kernel to a patched version provided by their distribution.

Patch guidance

Check your Linux distribution's security advisory and kernel release notes for a patched version. The fix is expected to be included in forthcoming kernel releases. For RedHat, Ubuntu, Debian, and other major distributions, watch for kernel security updates addressing CVE-2026-46211. Verify patch version numbers against your vendor's official advisory before deployment. The fix is typically a single-digit line addition and should be safe to apply to stable kernel branches without substantial side effects.

Detection guidance

Monitor kernel logs for NULL pointer dereference crashes in the msm_ioctl_gem_info_get_metadata() path or caller stack traces involving gem metadata operations. Check for patterns where userspace DRM/graphics applications report unexpected failures or silently skip expected metadata checks. If using kernel tracing or eBPF, instrument the ioctl entry point to detect cases where the function returns 0 but internal error handling was triggered. Userspace fuzzing of the DRM ioctl interface, particularly gem_info operations, can provoke the condition.

Why prioritize this

This is a medium-severity issue affecting a niche but critical subsystem (GPU driver). The CVSS score of 5.5 reflects moderate impact (kernel denial of service) constrained by local-only attack surface. Prioritize patching for systems with integrated Adreno GPUs and active local user accounts. Server environments with graphics acceleration are at higher risk than headless deployments. The fix is simple and low-risk, making it a good candidate for prompt deployment.

Risk score, explained

CVSS 5.5 (MEDIUM) is justified by: (1) local attack vector only (AV:L), (2) low attack complexity—no special conditions needed (AC:L), (3) requires low privilege—unprivileged local process (PR:L), (4) no user interaction required (UI:N), (5) impact confined to the local system (S:U), (6) no confidentiality or integrity breach (C:N, I:N), but (7) high availability impact via NULL pointer dereference or denial of service (A:H). The vulnerability is not critical because remote exploitation is impossible and privilege escalation is not feasible through this vector alone.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local code execution and a local unprivileged process to invoke the vulnerable ioctl. There is no network vector.

Does this affect all Linux users, or only those with Qualcomm Adreno GPUs?

This affects only systems with the MSM DRM driver enabled, which corresponds to devices with Qualcomm Adreno GPUs. Many generic distributions may have the code compiled in conditionally or as a module. Check your kernel configuration to determine if msm/gem is present.

What is the real-world impact of the silent error return?

If copy_to_user() fails (e.g., due to an invalid buffer address), userspace cannot distinguish success from failure because the function returns 0 in both cases. This can cause applications to operate on uninitialized or partial metadata, leading to graphical corruption, incorrect behavior, or crashes in the calling application.

Is this flaw present in the SET metadata function too?

No. The msm_ioctl_gem_info_set_metadata() function correctly returns ret, which is why the asymmetry was noticed. Only the GET variant has the error-handling bug.

This analysis is based on the CVE description and available public information. CVSS scores, affected versions, and patch guidance should be verified against official vendor advisories before making production decisions. SEC.co does not provide guarantees regarding the completeness or accuracy of remediation steps. Always consult your Linux distribution's security team and the kernel maintainers for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).