CVE-2026-43287 - Vulnerability Details

- drm: Account property blob allocations to memcg

Description

In the Linux kernel, the following vulnerability has been resolved:

drm: Account property blob allocations to memcg

DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized
property blobs backed by kernel memory.

Currently, the blob data allocation is not accounted to the allocating
process's memory cgroup, allowing unprivileged users to trigger unbounded
kernel memory consumption and potentially cause system-wide OOM.

Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory
is properly charged to the caller's memcg. This ensures existing cgroup
memory limits apply and prevents uncontrolled kernel memory growth without
introducing additional policy or per-file limits.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the DRM subsystem of the Linux kernel allows a local user to request a property blob of arbitrary size through the DRM_IOCTL_MODE_CREATEPROPBLOB ioctl. The kernel fails to account the allocated memory for the caller’s memory cgroup, so the memory is not limited by any cgroup quota. An attacker can therefore consume an unbounded amount of kernel memory, which can trigger a system‑wide out‑of‑memory condition and bring the host to a halt. This represents a strong denial‑of‑service risk to the entire system.

Affected Systems

All current releases of the Linux kernel that have not been patched to account property blob allocations in memcg are affected. The vulnerability applies to the generic Linux:Linux product irrespective of distribution.

Risk and Exploitability

The attack requires only local access and the ability to invoke the ioctl. Because the allocation is unbounded and not restricted by any cgroup limits, an unprivileged user can potentially exhaust kernel memory. The CVSS score of 5.5 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the KEV catalog, but the potential impact is high and the likelihood of exploitation is moderate to high on systems that expose the DRM subsystem.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< b6117210ed349356f8e6027ff020b4d620bca42b
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< 815fa29cab3c67bebb9d0b5f41145cdd3a14d04d
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< 866e0c1a9e7244d58ed74853cb22b81e1900cfdd
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< bbfaa5761f589a81031b493cb01275a990d6fb25
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< 8e1664b9ee43608eb973d357ae5d858d30cbc9ca
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< cb8b9a1755fe9f38e4fb7f287486d7e7fab3dba4
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< 405fd652d8fedff219a8f48daf8f20e881e303ab
`e2f5d2ea479b9b2619965d43db70939589afe43a`	affected	< 26b4309a3ab82a0697751cde52eb336c29c19035

Linux

affected

Version	Status	Constraints
`4.2`	affected	—
`0`	unaffected	< 4.2
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b6117210ed349356f8e6027ff020b4d620bca42b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,815fa29cab3c67bebb9d0b5f41145cdd3a14d04d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,866e0c1a9e7244d58ed74853cb22b81e1900cfdd)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,bbfaa5761f589a81031b493cb01275a990d6fb25)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8e1664b9ee43608eb973d357ae5d858d30cbc9ca)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cb8b9a1755fe9f38e4fb7f287486d7e7fab3dba4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,405fd652d8fedff219a8f48daf8f20e881e303ab)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,26b4309a3ab82a0697751cde52eb336c29c19035)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the patch which marks property blob allocations with GFP_KERNEL_ACCOUNT so they are charged to the caller’s memcg
If an immediate kernel update is not possible, restrict execution of DRM_IOCTL_MODE_CREATEPROPBLOB by applying system‑level controls such as seccomp rules or disabling the DRM subsystem for untrusted users
Enforce appropriate memory cgroup quotas and monitor kernel memory usage to detect and prevent excessive allocation attempts

Generated by OpenCVE AI on May 9, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/26b4309a3ab82a0697751cde52eb336c29c19035
https://git.kernel.org/stable/c/405fd652d8fedff219a8f48daf8f20e881e303ab
https://git.kernel.org/stable/c/815fa29cab3c67bebb9d0b5f41145cdd3a14d04d
https://git.kernel.org/stable/c/866e0c1a9e7244d58ed74853cb22b81e1900cfdd
https://git.kernel.org/stable/c/8e1664b9ee43608eb973d357ae5d858d30cbc9ca
https://git.kernel.org/stable/c/b6117210ed349356f8e6027ff020b4d620bca42b
https://git.kernel.org/stable/c/bbfaa5761f589a81031b493cb01275a990d6fb25
https://git.kernel.org/stable/c/cb8b9a1755fe9f38e4fb7f287486d7e7fab3dba4
https://lore.kernel.org/linux-cve-announce/2026050851-CVE-2026-43287-bab8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43287
https://www.cve.org/CVERecord?id=CVE-2026-43287

History

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050851-CVE-2026-43287-bab8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43287 https://www.cve.org/CVERecord?id=CVE-2026-43287
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 08 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-221

Fri, 08 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm: Account property blob allocations to memcg DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory. Currently, the blob data allocation is not accounted to the allocating process's memory cgroup, allowing unprivileged users to trigger unbounded kernel memory consumption and potentially cause system-wide OOM. Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory is properly charged to the caller's memcg. This ensures existing cgroup memory limits apply and prevents uncontrolled kernel memory growth without introducing additional policy or per-file limits.
Title		drm: Account property blob allocations to memcg
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/26b4309a3ab82a0697751cde52eb336c29c19035 https://git.kernel.org/stable/c/405fd652d8fedff219a8f48daf8f20e881e303ab https://git.kernel.org/stable/c/815fa29cab3c67bebb9d0b5f41145cdd3a14d04d https://git.kernel.org/stable/c/866e0c1a9e7244d58ed74853cb22b81e1900cfdd https://git.kernel.org/stable/c/8e1664b9ee43608eb973d357ae5d858d30cbc9ca https://git.kernel.org/stable/c/b6117210ed349356f8e6027ff020b4d620bca42b https://git.kernel.org/stable/c/bbfaa5761f589a81031b493cb01275a990d6fb25 https://git.kernel.org/stable/c/cb8b9a1755fe9f38e4fb7f287486d7e7fab3dba4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:11:12.541Z

Updated: 2026-05-09T04:09:55.929Z

Reserved: 2026-05-01T14:12:55.999Z

Link: CVE-2026-43287

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:35.600

Modified: 2026-05-08T14:16:35.600

Link: CVE-2026-43287

Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43287 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T01:30:16Z

Weaknesses

CWE-221

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object