MEDIUM 5.5

CVE-2026-46312: Linux Kernel vb2_dma_sg mmap Missing VM Flags — Medium Severity

A flaw in the Linux kernel's video buffer management can trigger a kernel warning when memory-mapped video buffers from certain capture drivers are accessed through the graphics subsystem. While the warning itself doesn't cause data loss or direct compromise, it indicates improperly configured memory protections that should have been set. This affects primarily developers and systems running specialized camera capture software on affected kernels.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: Set vma_flags in vb2_dma_sg_mmap vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not see a reason why vb2_dma_sg should behave differently. This avoids hitting `WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));` in drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of tree Apple ISP camera capture driver which uses vb2_dma_sg_memops. gst-launch-1.0 v4l2src ! gtk4paintablesink [ 38.201528] ------------[ cut here ]------------ [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210 [ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device uinput nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2 snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3 snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon apple_sart apple_dockchannel macsmc apple_rtkit_helper spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core spi_apple [ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full) [ 38.219040] Tainted: [W]=WARN [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210 [ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210 [ 38.222178] sp : ffffc0008dc678e0 [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480 [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968 [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0 [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968 [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8 [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8 [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000 [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038 [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb [ 38.231488] Call trace: [ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P) [ 38.232342] drm_gem_mmap+0x140/0x260 [ 38.232813] __mmap_region+0x488/0x9a0 [ 38.233277] mmap_region+0xd0/0x148 [ 38.233703] do_mmap+0x350/0x5c0 [ 38.234148] vm_mmap_pgoff+0x14c/0x200 [ 38.234612] ksys_mmap_pgoff+0x150/0x208 [ 38.235107] __arm64_sys_mmap+0x34/0x50 [ 38.235611] invoke_syscall+0x50/0x120 [ 38.236075] el0_svc_common.constprop.0+0x48/0xf0 [ 38.236680] do_el0_svc+0x24/0x38 [ 38.237113] el0_svc+0x38/0x168 [ 38.237507] el0t_64_sync_handler+0xa0/0xe8 [ 38.238034] el0t_64_sync+0x198/0x1a0 [ 38.238491] ---[ end trace 0000000000000000 ]--- There were discussions in [1] at the end of 2023 that mmap() on imported ---truncated---

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the vb2_dma_sg_mmap function within the videobuf2 subsystem. The function fails to set VM_DONTEXPAND and VM_DONTDUMP flags on virtual memory areas during mmap operations, which other similar DMA allocation paths (vb2_dma_contig) correctly implement. When imported DMA buffers from cameras using vb2_dma_sg_memops are subsequently mapped by DRM subsystem code, the missing flags trigger a WARN_ON assertion in drm_gem_mmap_obj, exposing a state inconsistency. The issue manifests during multimedia pipeline operations involving v4l2 capture and graphics rendering (e.g., gst-launch with v4l2src and GTK4 sinks).

Business impact

For most enterprise environments, impact is minimal since this affects niche multimedia and camera capture workflows, particularly on ARM-based systems like Apple Silicon Macs running specialized out-of-tree drivers. However, organizations deploying embedded vision systems, autonomous vehicle stacks, or media production workloads that combine v4l2 capture with GPU rendering should evaluate exposure. The kernel warning itself degrades system stability perception and can clutter logs, but does not enable privilege escalation, data theft, or service denial in isolation.

Affected systems

The Linux kernel is affected, specifically versions where vb2_dma_sg mmap functionality is present without the VM flags fix. ARM64 systems (particularly Apple Silicon) running newer kernels with concurrent DRM and videobuf2 integration are most visible in reported cases. Any Linux distribution shipping unpatched kernels used in camera capture, video processing, or multimedia applications could be vulnerable. The issue is architecture-neutral but most visible in systems integrating v4l2 camera drivers with GPU graphics stacks.

Exploitability

This is not exploitable for privilege escalation or code execution. The vulnerability requires local access and an active multimedia workflow combining v4l2 video capture with DRM-managed graphics buffers. The condition is triggered during normal mmap syscalls by unprivileged user processes, but the outcome is a kernel warning rather than memory corruption or system compromise. Exploitation difficulty is low (standard syscall sequence), but impact severity is low (log pollution and stability concerns rather than security breach).

Remediation

Apply Linux kernel patches that add VM_DONTEXPAND and VM_DONTDUMP flag initialization to the vb2_dma_sg_mmap function, bringing its behavior into alignment with vb2_dma_contig. Verify the patch against the upstream Linux repository. Systems not running multimedia video capture workflows combining v4l2 with GPU rendering have reduced urgency. Enterprises should prioritize kernels used in embedded vision, automotive, or production media systems.

Patch guidance

Obtain the fix from upstream Linux kernel releases or your distribution's kernel update channels. The patch modifies the vb2_dma_sg_mmap implementation to initialize vma->vm_flags with VM_DONTEXPAND and VM_DONTDUMP before the mmap operation completes, matching the pattern already used in vb2_dma_contig_mmap. Verify patch application against the vendor advisory and test in environments running v4l2 camera capture and GPU graphics workloads. Backport availability depends on your distribution's support lifecycle.

Detection guidance

Monitor kernel logs for WARN_ON messages originating from drm_gem_mmap_obj with the pattern 'WARNING: CPU.*at drivers/gpu/drm/drm_gem.c:1144'. These warnings indicate the vma->vm_flags assertion failure. Cross-reference with active multimedia processes (gst-launch, ffmpeg, camera applications) at the time of warning. Kernel taint flags will show 'W' (WARN) in dmesg output. Detection does not indicate exploitation but confirms exposure to the underlying condition.

Why prioritize this

Medium CVSS (5.5) reflects local-only access requirements and denial-of-availability impact via kernel instability rather than confidentiality or integrity breaches. Prioritization should account for whether your infrastructure runs v4l2 video capture pipelines; general Linux servers and desktops without multimedia workloads face minimal practical risk. Prioritize patching in embedded systems, automotive platforms, and media production environments where this code path is active.

Risk score, explained

CVSS 5.5 (Medium) reflects: AV:Local (requires local access), AC:Low (easy to trigger via standard mmap syscalls), PR:Low (unprivileged user can trigger), UI:None, S:Unchanged, C:None (no confidentiality impact), I:None (no integrity impact), A:High (kernel warning indicates memory protection failure risking system stability). The score appropriately captures that while exploitability is straightforward, actual harm is limited to systems with specific workload characteristics.

Frequently asked questions

Will this vulnerability cause my video calls or streaming apps to crash?

Not directly. The kernel warning indicates a memory protection inconsistency but does not cause immediate application crashes. However, repeated warnings degrade system stability and could eventually lead to log exhaustion or kernel panics in edge cases. Most users running standard Linux workloads will not encounter this condition.

Do I need to patch immediately if I run Docker containers with no GPU or camera access?

No. This vulnerability requires active use of v4l2 video capture combined with GPU/DRM memory mapping. If your containers do not use camera drivers or GPU graphics, you are not at risk. Prioritize patching for systems running multimedia pipelines, embedded vision applications, or media production workloads.

What is the difference between this and a real memory safety bug?

This is a configuration/state consistency issue, not a memory corruption vulnerability. The underlying memory management is sound, but a protective flag is missing. The warning indicates the code path should not have reached that state, alerting developers to fix the root cause. It does not enable attackers to read memory, corrupt data, or gain privileges.

Is this related to other Linux kernel memory bugs like CVE-2023-XXXXX?

No. This is specific to videobuf2 DMA buffer handling and video capture workflows. It is not connected to broader kernel memory vulnerabilities. The fix is narrowly scoped to aligning vb2_dma_sg behavior with existing patterns in the codebase.

This analysis is based on source data as of publication date. CVSS scores, affected versions, and patch availability are subject to change and should be verified against upstream vendor advisories and your specific kernel distribution. No exploit code is discussed. Organizations should conduct their own risk assessment accounting for their specific multimedia and GPU workload exposure. This advisory does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).