Description
In the Linux kernel, the following vulnerability has been resolved:

drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()

drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
using plain integer division:

unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
unsigned int height = mode_cmd->height / (i ? info->vsub : 1);

However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
drm_format_info_plane_width/height() which round up dimensions via
DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
size check for certain pixel format and dimension combinations.

For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
GEM size validation path sees height=0 instead of height=1. The
expression (height - 1) then wraps to UINT_MAX as an unsigned int,
causing min_size to overflow and wrap back to a small value. A tiny
GEM object therefore passes the size guard, yet when the GPU accesses
the chroma plane it will read or write memory beyond the object's
bounds.

Fix by replacing the open-coded divisions with drm_format_info_plane_width()
and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
the calculation already used in framebuffer_check().
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Linux’s DRM‑gem subsystem calculates the dimensions of sub‑sampled planes with simple integer division, while the framebuffer validation path rounds size up using DIV_ROUND_UP(). For certain pixel formats such as NV12, a framebuffer that is one pixel tall yields a height of zero in the size guard, and the expression (height‑1) wraps to the maximum unsigned int value. This wrap causes the minimum size calculation to overflow back to an extremely small value, allowing the kernel to allocate a GEM object that is far smaller than the pixel data it contains. When the GPU later accesses the chroma plane, it reads or writes memory beyond the allocated object’s bounds, corrupting kernel memory. This out‑of‑bounds access can lead directly to privilege escalation or a denial‑of‑service condition.

Affected Systems

This flaw is present in all Linux kernel releases that include the buggy drm_gem_fb_init_with_funcs() implementation. The vendor list indicates that the Linux kernel itself is affected; no specific version range is provided, so the vulnerability applies to every kernel version until the patch is applied.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating high severity, and an EPSS score of <1%, implying a low likelihood of exploitation. It is not listed in the CISA KEV catalog, suggesting no known public exploits. Exploitation requires a local process that can invoke DRM ioctl calls to create or modify framebuffer objects, a capability normally restricted to users with GPU access. The likely attack vector is a local attempt leveraging these ioctl interfaces; based on the description, it is inferred that such activity can trigger out‑of‑bounds memory accesses that may result in kernel memory corruption or a crash, potentially enabling code execution or denial of service.

Generated by OpenCVE AI on June 10, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that replaces the integer division in drm_gem_fb_init_with_funcs() with drm_format_info_plane_width() and drm_format_info_plane_height() which use DIV_ROUND_UP(). This change fixes both the integer overflow weakness (CWE-190) caused by inconsistent plane size calculations and the out‑of‑bounds memory write (CWE-787) that can occur when the GPU accesses chroma plane data beyond the allocated bounds.
  • Restrict permission to DRM device node ioctl interfaces for untrusted or non‑privileged users, for example by setting stricter device node ownership or by using systemd protection or a custom kernel module that filters DRM calls
  • Enable kernel memory protection features such as KASLR, SMEP/SMAP, and, if available, the Protection Domain for GPU access, and consider using SELinux or AppArmor profiles to confine applications that interact with the DRM subsystem

Generated by OpenCVE AI on June 10, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-190

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().
Title drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:02:54.931Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46209

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:36.567

Modified: 2026-06-10T19:17:50.510

Link: CVE-2026-46209

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46209 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses