Description
In the Linux kernel, the following vulnerability has been resolved:

fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info

Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an
instance as part of initializing deferred I/O and remove it only after
the final mapping has been closed. If the fb_info and the contained
deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info
to invalidate the mapping. Any access will then result in a SIGBUS
signal.

Fixes a long-standing problem, where a device hot-unplug happens while
user space still has an active mapping of the graphics memory. The hot-
unplug frees the instance of struct fb_info. Accessing the memory will
operate on undefined state.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux framebuffer driver, the defio subsystem tracks deferred I/O state through a structure tied to the lifetime of a fb_info instance. When a device is hot‑unplugged while user space still keeps an active mapping of the device’s graphics memory, the kernel frees the fb_info but does not immediately clean the deferred I/O mapping. The later cleanup clears a pointer inside the state, so any subsequent access dereferences a dangling pointer and results in a SIGBUS termination of the kernel. This represents a classic use‑after‑free flaw that forces a kernel panic and loss of availability, but does not provide an avenue for arbitrary code execution. Based on the description, it is inferred that the primary damage is a denial‑of‑service scenario at the system level.

Affected Systems

All Linux kernel releases that contain the vulnerable fbdev defio implementation before the patch referenced by commit 25c2b77bc463f29ee71a54b883548baf9386a0db are affected. The flaw is present in the vanilla kernel and any downstream derivation that has not merged the commit, regardless of distribution. The affected vendor is Linux, and the affected product is the Linux kernel across all architectures that compile the fbdev subsystem.

Risk and Exploitability

The vulnerability leads to an uncontained kernel crash when a hot‑plug event coincides with an active graphics‑memory mapping. Because the trigger requires a device being unplugged while in use, the attack vector is most likely local or involves control over the hardware. The CVSS score is 5.5, indicating moderate severity. The EPSS score is not available and the flaw is not listed in CISA’s KEV catalog, indicating limited known exploitation. Nevertheless, the severity of a kernel panic warrants a high priority response. Based on the description, it is inferred that an attacker with physical or device‑control capability could exploit this to cause a denial‑of‑service on the target system.

Generated by OpenCVE AI on May 28, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes commit 25c2b77bc463f29ee71a54b883548baf9386a0db or later releases that incorporate the defio patch.
  • If a kernel upgrade cannot be applied immediately, disable the fbdev framebuffer subsystem in the kernel configuration (set CONFIG_FB or the related defio option to n) so that the vulnerable code path is not compiled into the kernel.
  • Ensure that any graphics‑memory mappings are closed cleanly before initiating a device hot‑unplug to eliminate the race condition; monitor kernel logs for SIGBUS or oops events to detect remaining incidents.

Generated by OpenCVE AI on May 28, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal. Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state.
Title fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:32.968Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46065

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:27.050

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46065

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46065 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:45:05Z

Weaknesses