MEDIUM 5.5

CVE-2026-46247: Linux Kernel GFX3D Clock Driver Denial-of-Service Vulnerability

This vulnerability affects the Linux kernel's clock management subsystem, specifically the graphics processor (GFX3D) clock driver. A bug in how parent clock information is passed during rate calculations causes the system to crash when the GPU attempts to change its operating frequency. The issue emerged after a code refactoring that changed how clock dividers calculate rates. When the GPU's power management system tries to adjust clock speed—a routine operation during dynamic frequency scaling—the missing parent clock information causes a kernel panic. The vulnerability requires local access and affects systems running vulnerable kernel versions on Qualcomm-based devices.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gfx3d: add parent to parent request map After commit d228ece36345 ("clk: divider: remove round_rate() in favor of determine_rate()") determining GFX3D clock rate crashes, because the passed parent map doesn't provide the expected best_parent_hw clock (with the roundd_rate path before the offending commit the best_parent_hw was ignored). Set the field in parent_req in addition to setting it in the req, fixing the crash. clk_hw_round_rate (drivers/clk/clk.c:1764) (P) clk_divider_bestdiv (drivers/clk/clk-divider.c:336) divider_determine_rate (drivers/clk/clk-divider.c:358) clk_alpha_pll_postdiv_determine_rate (drivers/clk/qcom/clk-alpha-pll.c:1275) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) __clk_determine_rate (drivers/clk/clk.c:1741) clk_gfx3d_determine_rate (drivers/clk/qcom/clk-rcg2.c:1268) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) clk_core_round_rate_nolock (drivers/clk/clk.c:1710) clk_round_rate (drivers/clk/clk.c:1804) dev_pm_opp_set_rate (drivers/opp/core.c:1440 (discriminator 1)) msm_devfreq_target (drivers/gpu/drm/msm/msm_gpu_devfreq.c:51) devfreq_set_target (drivers/devfreq/devfreq.c:360) devfreq_update_target (drivers/devfreq/devfreq.c:426) devfreq_monitor (drivers/devfreq/devfreq.c:458) process_one_work (arch/arm64/include/asm/jump_label.h:36 include/trace/events/workqueue.h:110 kernel/workqueue.c:3284) worker_thread (kernel/workqueue.c:3356 (discriminator 2) kernel/workqueue.c:3443 (discriminator 2)) kthread (kernel/kthread.c:467) ret_from_fork (arch/arm64/kernel/entry.S:861)

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46247 is a null pointer dereference or missing data structure initialization in the Qualcomm GFX3D clock driver (drivers/clk/qcom/clk-rcg2.c). The root cause lies in commit d228ece36345, which refactored the divider clock's rate determination logic from round_rate() to determine_rate(). The new code path expects the parent_req structure to contain a populated best_parent_hw field, but the GFX3D driver's clk_gfx3d_determine_rate() function fails to set this field when constructing the parent clock request. When clk_divider_bestdiv() is later invoked via the call chain triggered by dev_pm_opp_set_rate() (the operating point voting mechanism), it attempts to dereference an uninitialized or NULL best_parent_hw pointer, causing a kernel crash. The fix involves ensuring that the parent_req structure's best_parent_hw field is populated alongside the primary request structure during clock rate determination.

Business impact

While this vulnerability does not lead to privilege escalation or data theft, it causes a denial-of-service condition on affected devices. The crash occurs during GPU frequency scaling, which is triggered by the system's devfreq power management framework. On mobile and embedded devices using Qualcomm SoCs, this can result in GPU lockups, rendering the device unusable or forcing a reboot. For server environments or edge compute platforms relying on Qualcomm processors, unplanned kernel panics disrupt service availability. The vulnerability is particularly problematic because it strikes at a fundamental device operation (power-efficient GPU throttling) that occurs frequently during normal use, making workarounds difficult without kernel patching.

Affected systems

The vulnerability affects Linux kernel systems using Qualcomm's GFX3D GPU clock driver, present on Snapdragon and similar Qualcomm SoC-based devices. This includes Android smartphones and tablets, IoT edge devices, automotive platforms, and specialized embedded systems that rely on Qualcomm processors with integrated GPUs. The specific affected kernel versions are those that include commit d228ece36345 and the vulnerable GFX3D driver code without the fix applied. Desktop and server systems using non-Qualcomm GPUs or kernels without the affected clock driver code are not impacted.

Exploitability

Exploitability is limited by the local-only attack vector and requirement for unprivileged user privilege (PR:L in the CVSS vector). A local user must trigger GPU frequency scaling to manifest the crash; this naturally occurs during GPU workloads or can be induced by calling clock rate adjustment APIs. The crash is highly reliable once triggered, but weaponization for malicious denial-of-service requires local system access. There is no remote exploitation path, and the vulnerability cannot be leveraged for code execution or information disclosure. The vulnerability is fundamentally a logic bug rather than a memory corruption flaw.

Remediation

The fix is straightforward: ensure the parent_req structure's best_parent_hw field is set when the GFX3D driver constructs parent clock requests. This typically involves populating parent_req with the same parent hardware clock information used in the primary request structure. The kernel maintainers have resolved this in subsequent patches to the clk-rcg2.c driver. Organizations should apply the patched kernel version provided by their device vendor or kernel distribution. For Qualcomm-based device manufacturers, coordinate with Qualcomm and upstream kernel maintainers to obtain and integrate the fix. Until patching is feasible, users should avoid intensive GPU workloads that trigger frequency scaling, though this is rarely a practical long-term mitigation.

Patch guidance

Identify the kernel version running on affected devices using 'uname -r' or equivalent. Check the Qualcomm and linux-kernel security advisories for patched versions addressing CVE-2026-46247. For Android devices, updates typically come through device manufacturer security patches; contact your OEM for availability. For custom kernel deployments, apply the fix from upstream linux-kernel repositories or Qualcomm's BSP (Board Support Package) release. Verify the applied patch by confirming that the parent_req.best_parent_hw field is populated in the clk_gfx3d_determine_rate() function. Test that GPU frequency scaling operates normally post-patch by running GPU-intensive workloads and monitoring system stability.

Detection guidance

Monitor kernel logs for panic or oops messages mentioning clk_gfx3d_determine_rate, clk_divider_bestdiv, or devfreq/GPU clock operations. Search for crashes occurring in the call chain: msm_devfreq_target → dev_pm_opp_set_rate → clock rate rounding. On affected systems, enable detailed GPU/clock tracing using kernel tracepoints (trace_clk_round_rate, trace_devfreq_target) to capture the exact conditions triggering the crash. System monitoring tools may alert on unexpected GPU state changes or kernel panics during routine operation. Device telemetry showing repeated GPU thermal throttling attempts followed by system resets suggests the vulnerability is being triggered.

Why prioritize this

Assign this vulnerability medium-to-high priority for any Qualcomm SoC-based deployments, particularly those running sustained GPU workloads. The CVSS 5.5 (MEDIUM) rating reflects the local-only attack surface and denial-of-service impact, yet the practical severity is elevated because the crash occurs during normal device operation (power management) rather than requiring deliberate exploitation. For production mobile and edge computing environments, kernel stability is paramount; a crash during routine GPU frequency adjustment is unacceptable. Prioritize patching for user-facing devices and public-facing edge compute clusters first, then extend to development and lab environments.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector (Local)—requires local access; Attack Complexity (Low)—no special conditions needed to trigger; Privileges Required (Low)—unprivileged user can cause the crash; User Interaction (None)—no user action required beyond normal GPU usage; Scope (Unchanged)—impact limited to the affected system; Confidentiality/Integrity (None)—no data exposure or corruption; Availability (High)—reliable denial-of-service via kernel panic. The score appropriately captures the limited attack surface but does not fully convey the operational impact of crashes during normal power management, which organizations should weigh in their own risk assessments.

Frequently asked questions

Will this vulnerability affect my Linux system if I don't use a GPU?

Only if your system uses a Qualcomm SoC with an integrated GPU and the vulnerable kernel version. Desktop and server systems without Qualcomm GPUs (e.g., using NVIDIA, Intel, AMD discrete GPUs or no GPU) are unaffected because they do not include the vulnerable GFX3D clock driver code.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access and is triggered by GPU frequency scaling operations initiated by the device itself or a local user. There is no network-based exploit path.

What happens if the crash occurs repeatedly?

Repeated crashes during GPU operations can render a device unusable, forcing users to reboot and limiting GPU-intensive activities. On mobile devices, this degrades performance and battery efficiency. For edge computing and automotive applications, unpredictable crashes may violate uptime or safety requirements.

Does this vulnerability allow privilege escalation or data theft?

No. The vulnerability causes a kernel panic (denial-of-service) but does not lead to unauthorized access, privilege escalation, or information disclosure. The crash terminates the GPU operation and potentially the application using it, but does not compromise system security or expose sensitive data.

This analysis is provided for informational purposes and represents the current understanding of CVE-2026-46247 based on available technical disclosures. Organizations should independently verify all patch versions, affected products, and remediation steps against official vendor advisories and their own system configurations. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance for specific deployments. Testing should be conducted in non-production environments before applying patches to critical systems. For official guidance, consult Linux kernel security advisories, Qualcomm security bulletins, and your device manufacturer's security notices. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).