CVE-2026-46215: Linux Kernel DRM Use-After-Free in change_handle
A race condition exists in the Linux kernel's DRM (Direct Rendering Manager) subsystem, specifically in the change_handle function. When an application changes a graphics handle, the kernel briefly maintains two references to the same object in its internal tracking structures. A concurrent operation can delete the graphics object while one reference remains valid, leaving a dangling pointer that could later be dereferenced, causing a crash or potential code execution. The fix involves properly nullifying the old handle before performing operations, matching a defensive pattern already used elsewhere in the DRM code.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: drm: Set old handle to NULL before prime swap in change_handle There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free. To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it. create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration. v2: cleanups of error paths
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46215 is a use-after-free vulnerability (CWE-416) in the Linux kernel's DRM subsystem, occurring in the change_handle ioctl handler. The vulnerability arises from a time-of-check-time-of-use (TOCTOU) race between change_handle and concurrent gem_close operations. During handle replacement, change_handle creates a transient state where a single DRM GEM object has two idr (ID Radix tree) entries. If gem_close is invoked concurrently, it may delete the object and release one handle while the other remains registered, creating a dangling reference. The patch applies the same synchronization pattern used in create_tail and other DRM functions: idr_replace the old handle to NULL immediately, then perform prime operations while holding the prime lock, and finally close the old handle if operations succeed. This serializes the critical section and prevents concurrent deletions from observing the object in an inconsistent state.
Business impact
This vulnerability affects systems running vulnerable Linux kernels where user-space applications interact with graphics drivers through the DRM subsystem. Local attackers with permissions to use graphics APIs can trigger the race condition, potentially achieving denial of service (kernel crash) or, in specific configurations, information disclosure or privilege escalation. GPU-enabled systems, containers with GPU pass-through, and systems with unprivileged graphics access are at elevated risk. The impact is primarily confined to availability and system stability unless the attacker can leverage the use-after-free for code execution in kernel context.
Affected systems
The Linux kernel is affected across versions prior to the fix. The vulnerability requires local access and the ability to issue DRM ioctl calls; this is available to any user with access to a DRM device node (typically /dev/dri/card* or /dev/dri/renderD*). Affected systems include desktop Linux distributions, embedded Linux systems with GPU support, container hosts exposing DRM devices, and specialized compute platforms using GPU acceleration. The vulnerability does not affect systems without DRM graphics subsystem enabled.
Exploitability
Exploitability is moderate. An unprivileged local user can trigger the race condition by rapidly calling the change_handle ioctl while concurrently closing graphics handles. However, reliably triggering the race requires precise timing and knowledge of the kernel's internal scheduler. The attack is repeatable on a given system if timing conditions align. Weaponization into reliable code execution is non-trivial because the use-after-free occurs within DRM's reference-counted object model, where many accesses are bounds-checked. Proof-of-concept code could reliably cause denial of service; achieving code execution would require additional kernel mitigations to be bypassed.
Remediation
Apply the Linux kernel patch that modifies change_handle to idr_replace the old handle with NULL before executing prime operations, and defer closing the old handle until after the operation succeeds. This change is present in kernel versions released after the fix date. Organizations should verify the exact kernel version containing this fix against the Linux kernel security advisory and their distribution's release notes. No workaround is available for unpatched systems other than restricting access to DRM device nodes to trusted users.
Patch guidance
Obtain and test the patched Linux kernel version from your distribution or kernel.org. The fix involves a small change to the DRM subsystem's change_handle function; verify the patch hash against the Linux kernel stable tree to ensure authenticity. Test in a staging environment before deploying to production systems. Reboot is required to activate the patched kernel. For enterprise distributions (Red Hat, Canonical, SUSE), check published security advisories for official patch releases and timelines.
Detection guidance
Monitor system logs for repeated DRM ioctl failures or kernel BUG/WARN messages referencing drm_gem_handle_create or prime operations. Kernel Address Sanitizer (KASAN) will reliably detect use-after-free if enabled in debug builds. In production, intrusion detection focused on rapid gem_close and change_handle syscall sequences from a single process could indicate attempted exploitation. Check kernel messages with dmesg or journalctl for references to 'use-after-free' and drm subsystem errors after system crashes.
Why prioritize this
A HIGH severity local privilege escalation and denial of service vector affecting a core kernel subsystem. The combination of moderate exploitability, local-only requirement, and significant impact on system stability and security justifies immediate patching for systems exposing DRM devices to untrusted users. Desktop and container environments should prioritize this patch highly.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) reflects: Local attack vector (AV:L), low complexity to trigger (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately weights the kernel context of the vulnerability and potential for denial of service and information disclosure, despite exploitation requiring local access and precise timing.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-46215 requires local access and the ability to issue DRM ioctl calls on the target system. Remote exploitation is not possible.
Does this affect systems without GPUs?
Only if DRM is compiled into the kernel and device nodes are accessible. Systems with DRM disabled or without any graphics hardware present are not vulnerable.
What is the difference between this fix and the earlier gem_close fix it references?
This vulnerability uses the same defensive pattern (idr_replace to NULL before critical operations) as a previous fix in gem_close. The change_handle function was missing this protection, creating a window where the object could be concurrently deleted while a dangling reference remained.
Will a kernel update from my distribution include this fix?
Likely, but verify by checking your distribution's security advisories and kernel release notes. Enterprise distributions typically publish timelines. Check against the patch date (2026-05-28) and confirmed fixed versions in the vendor security bulletin.
This analysis is based on the published CVE record and kernel patch details as of the modification date. Exploit code is not provided. Organizations must verify patch availability and compatibility with their specific kernel versions and distributions before deployment. Testing in a non-production environment is strongly recommended. No liability is assumed for outcomes of patch deployment decisions. For the most current patch status and distribution-specific guidance, consult your Linux vendor's official security advisories. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance