Description
In the Linux kernel, the following vulnerability has been resolved:

drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()

Since GEM bo handles are u32 in the uapi and the internal implementation
uses idr_alloc() which uses int ranges, passing a new handle larger than
INT_MAX trivially triggers a kernel warning:

idr_alloc():
...
if (WARN_ON_ONCE(start < 0))
return -EINVAL;
...

Fix it by rejecting new handles above INT_MAX and at the same time make
the end limit calculation more obvious by moving into int domain.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel warning generation
Action: Apply patch
AI Analysis

Impact

The flaw resides in the DRM subsystem’s drm_gem_change_handle_ioctl() function. GEM object handles are 32‑bit unsigned values exposed to userspace, but the kernel maps them to signed int indices via idr_alloc(). When a handle greater than the maximum value of a signed int is supplied, the code triggers WARN_ON_ONCE, logging a kernel warning. The description does not claim any denial‑of‑service or compromise of confidentiality or integrity; it only indicates that an attacker can force kernel log entries to be produced.

Affected Systems

The vulnerability exists in the Linux 6.19 release candidates from rc1 through rc7, where the problematic idr_alloc() usage is part of the DRM GEM handling logic. The issue is tied to the kernel’s handling of Graphics Execution Manager (GEM) objects and the DRM device interface.

Risk and Exploitability

The CVSS score of 5.5 signals a moderate severity, and the EPSS score indicates a low exploitation probability (< 1%). The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local user access to the DRM device; an attacker with such access can invoke the ioctl and supply an out‑of‑range handle to cause the warning. No active exploits have been reported.

Generated by OpenCVE AI on April 18, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that includes the patch for drm_gem_change_handle_ioctl(), such as the final 6.19 release or a later stable version.
  • Restrict access to the DRM device by adjusting file permissions or applying mandatory access controls (SELinux/AppArmor) so that only trusted users can invoke the ioctl.
  • If GPU support is unnecessary, compile the kernel without the offending GPU drivers or explicitly disable the DRM module to reduce the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-704

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl() Since GEM bo handles are u32 in the uapi and the internal implementation uses idr_alloc() which uses int ranges, passing a new handle larger than INT_MAX trivially triggers a kernel warning: idr_alloc(): ... if (WARN_ON_ONCE(start < 0)) return -EINVAL; ... Fix it by rejecting new handles above INT_MAX and at the same time make the end limit calculation more obvious by moving into int domain.
Title drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:01:18.281Z

Reserved: 2026-01-13T15:37:45.975Z

Link: CVE-2026-23149

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T16:15:55.023

Modified: 2026-03-17T21:12:29.223

Link: CVE-2026-23149

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23149 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses