Description
In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Before the referenced fixes these functions used a lookup function that
returned a pointer. This was changed to another lookup function that
returned an error code with the pointer becoming an out parameter.

The error path when the lookup failed was not changed to reflect this
change and the code continued to return the PTR_ERR of the now
uninitialized pointer. This could cause the vmw_translate_ptr functions
to return success when they actually failed causing further uninitialized
and OOB accesses.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption
Action: Apply Patch
AI Analysis

Impact

The issue resides in the vmw_translate_ptr functions of the Linux kernel drm/vmwgfx driver. A change in the lookup function caused the error path to incorrectly return the PTR_ERR of an uninitialized pointer, resulting in the functions reporting success when they had actually failed. This flaw can lead to uninitialized variable usage and out‑of‑bounds memory accesses within the kernel, creating an opportunity for memory corruption that could potentially allow privilege escalation or denial of service.

Affected Systems

The vulnerability applies to any system running the Linux kernel with the drm/vmwgfx driver, which includes Linux guests in VMware virtualized environments. No specific kernel version range is listed, but all kernels lacking the recent patches that corrected the return semantics are affected.

Risk and Exploitability

With a CVSS score of 7.8 the vulnerability is classified as High severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild at present, and the issue is not in the CISA KEV catalog. Attackers would need to exploit the driver’s interface, likely requiring local or remote privilege escalated access to the guest OS to trigger the buggy function paths. Given the kernel context, successful exploitation could lead to arbitrary code execution or a crash of the host or guest system.

Generated by OpenCVE AI on April 2, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the fix for vmw_translate_ptr error handling.
  • Verify kernel version with "uname -r" and compare against vendor release notes to ensure the patch has been applied.
  • If an update is not yet available, monitor vendor advisories and plan a kernel upgrade as soon as the patch is released.

Generated by OpenCVE AI on April 2, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-593
CWE-749

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-390
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-593
CWE-749

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could cause the vmw_translate_ptr functions to return success when they actually failed causing further uninitialized and OOB accesses.
Title drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:04:16.604Z

Reserved: 2026-01-13T15:37:45.995Z

Link: CVE-2026-23317

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:28.220

Modified: 2026-04-02T15:16:30.920

Link: CVE-2026-23317

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23317 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:06Z

Weaknesses