Description
In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Before the referenced fixes these functions used a lookup function that
returned a pointer. This was changed to another lookup function that
returned an error code with the pointer becoming an out parameter.

The error path when the lookup failed was not changed to reflect this
change and the code continued to return the PTR_ERR of the now
uninitialized pointer. This could cause the vmw_translate_ptr functions
to return success when they actually failed causing further uninitialized
and OOB accesses.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the vmw_translate_ptr functions of the Linux kernel's drm/vmwgfx driver. The code change switched from returning a pointer to returning an error code with the pointer as an out parameter, but the error handling path was not updated. As a result, the function can return a PTR_ERR of an uninitialized pointer, causing the driver to report success when the lookup actually failed. This flaw can lead to uninitialized memory usage and out‑of‑bounds accesses inside the kernel, creating opportunities for memory corruption that could compromise confidentiality, integrity, or availability.

Affected Systems

Any Linux system that loads the drm/vmwgfx driver is potentially affected. The kernel versions impacted are those prior to the patch that corrected the lookup return semantics; specific version ranges are not provided in the CNA data, so all earlier kernel releases are considered vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need the ability to invoke the drm/vmwgfx driver’s translation functions, which typically requires local access or privilege escalation. The attack could result in arbitrary kernel memory corruption, leading to privilege escalation or denial‑of‑service.

Generated by OpenCVE AI on April 29, 2026 at 02:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the vmw_translate_ptr fixes.
  • If an update is not immediately available, prevent the vmwgfx module from loading (e.g., add vmwgfx to /etc/modprobe.d/blacklist.conf).
  • Monitor vendor advisories and schedule a kernel upgrade as soon as the patch reaches production.

Generated by OpenCVE AI on April 29, 2026 at 02:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-593
CWE-749

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-390
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-593
CWE-749

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could cause the vmw_translate_ptr functions to return success when they actually failed causing further uninitialized and OOB accesses.
Title drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:04:16.604Z

Reserved: 2026-01-13T15:37:45.995Z

Link: CVE-2026-23317

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:28.220

Modified: 2026-04-23T21:09:29.110

Link: CVE-2026-23317

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23317 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:15:47Z

Weaknesses