CVE-2026-46314: Linux Kernel DRM v3d Infinite Loop DoS Vulnerability
A flaw in the Linux kernel's DRM v3d driver allows a local user to trigger an infinite loop by submitting a maliciously crafted system call with a self-referential extension structure containing zero synchronization counts. This causes the kernel to hang indefinitely, consuming CPU resources and freezing the affected process. An attacker with local access can exploit this to perform a denial-of-service attack on systems running vulnerable kernel versions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-835
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Reject empty multisync extension to prevent infinite loop v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in v3d_get_extensions(), which processes a user-controlled linked list of ioctl extensions without bounds checking. An attacker can construct a self-referential extension (where ext->next points back to itself) with both in_sync_count and out_sync_count set to zero. The existing guard that checks for non-zero counts fails to trigger because v3d_get_multisync_post_deps() returns immediately when the count is zero, never updating the extension fields. This allows the kernel to loop indefinitely while processing the same extension. The fix rejects any multisync extension where both synchronization counts are zero, returning -EINVAL and preventing the infinite loop condition.
Business impact
This vulnerability enables local denial-of-service attacks that can freeze individual user processes or threads by consuming full CPU cores indefinitely. On multi-user systems, an unprivileged attacker can disrupt service availability for other users or applications. Systems with GPU workloads (graphics, compute) relying on the v3d driver are particularly affected, as hung processes may also prevent resource cleanup and accumulate over time if exploited repeatedly.
Affected systems
The Linux kernel, specifically systems with the DRM v3d (VideoCore V3D) driver enabled. This affects Raspberry Pi and similar devices using VideoCore V3D GPUs, as well as any Linux systems configured with v3d driver support. Affected versions are those prior to the patch resolving this issue; consult vendor advisories and kernel.org for exact version boundaries.
Exploitability
Exploitability is straightforward for local users. No kernel code execution or privilege escalation is required—only the ability to submit an ioctl system call to the v3d device, typically available to any user with read-write access to /dev/dri/card* or similar device nodes. The attack requires no special race conditions or timing; a single crafted syscall triggers the hang. Unprivileged users on systems where GPU device access is broadly permitted face particular risk.
Remediation
Apply kernel patches that add explicit validation to reject multisync extensions with zero in_sync_count and out_sync_count in the v3d_get_multisync_submit_deps() function. Update to a patched kernel version once available from your distribution or kernel.org. Administrators should prioritize systems with v3d driver enabled and shared GPU access policies.
Patch guidance
Monitor your Linux distribution's security advisories for kernel updates addressing CVE-2026-46314. The fix is surgical—a simple validation check added to v3d_get_multisync_submit_deps()—so patched versions should be safe to deploy without extensive compatibility testing. Verify patch status against your kernel source or distribution release notes before deployment.
Detection guidance
Monitor system logs and kernel debug output for signs of CPU saturation caused by hung kernel tasks in the v3d subsystem. Tools like 'dmesg', 'sysstat', and 'perf' can identify runaway kernel threads. Process monitoring for high CPU utilization tied to GPU ioctl calls may indicate exploitation attempts. Network-isolated systems or those without v3d driver loaded are not vulnerable and do not require monitoring.
Why prioritize this
Although this is a local denial-of-service with medium CVSS (5.5), it merits prompt attention because: (1) exploitation is trivial and requires no privilege escalation, (2) it completely freezes affected processes, disrupting availability, (3) systems with shared GPU access face elevated risk, and (4) the fix is straightforward and low-risk to deploy. Prioritize systems with v3d enabled and multi-user access policies.
Risk score, explained
CVSS 5.5 (Medium) reflects a local-only attack vector, lack of confidentiality or integrity impact, and the requirement for user-level privileges. However, the ease of exploitation and the severity of the denial-of-service (complete process hang) mean this should not be treated as low-priority; context-aware prioritization is needed based on your device inventory and GPU driver exposure.
Frequently asked questions
Can a remote attacker exploit this vulnerability?
No. The vulnerability requires local access and the ability to submit ioctl calls to the v3d device. Remote exploitation is not possible.
Does this affect systems without the v3d driver enabled?
No. Systems without the DRM v3d driver (most servers, many desktops) are not vulnerable. Vulnerability is limited to systems with v3d driver compiled and loaded, typically Raspberry Pi and similar platforms.
What happens if an attacker exploits this?
The attacked process or thread will hang indefinitely, with the kernel stuck in an infinite loop. This consumes a full CPU core and freezes the application, effectively denying service until reboot or manual process termination.
Is patching risky or complex?
No. The fix is a simple validation check added early in the extension processing path. Patched kernels should be stable and safe to deploy without special testing.
This analysis is based on the CVE description and publicly available information as of the publish date. Actual patch availability, version numbers, and distribution timelines should be verified against official Linux kernel advisories, your distribution's security updates, and kernel.org. No guarantee is made regarding the completeness or future applicability of this guidance; always consult vendor advisories for definitive remediation steps. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46146MEDIUMLinux Kernel USB Audio Infinite Loop DoS Vulnerability
- CVE-2026-10028MEDIUMglib-networking GnuTLS Certificate Validation Denial-of-Service
- CVE-2026-41150MEDIUMMermaid Gantt Chart DoS via Excludes Attribute
- CVE-2026-44740MEDIUMBilly Go Library Denial-of-Service via Input Validation Flaws
- CVE-2026-44186HIGHApache HTTP Server mod_proxy_ftp Infinite Loop Denial of Service
- CVE-2026-46385HIGHiskorotkov/avro Denial-of-Service via Unbounded Block Iteration
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout