Description
In the Linux kernel, the following vulnerability has been resolved:

drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()

msm_ioctl_gem_info_get_metadata() always returns 0 regardless of
errors. When copy_to_user() fails or the user buffer is too small,
the error code stored in ret is ignored because the function
unconditionally returns 0. This causes userspace to believe the
ioctl succeeded when it did not.

Additionally, kmemdup() can return NULL on allocation failure, but
the return value is not checked. This leads to a NULL pointer
dereference in the subsequent copy_to_user() call.

Add the missing NULL check for kmemdup() and return ret instead of 0.

Note that the SET counterpart (msm_ioctl_gem_info_set_metadata)
correctly returns ret.

Patchwork: https://patchwork.freedesktop.org/patch/714478/
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel DRM/ MSM driver contains a function that incorrectly returns success even when copying data to userspace fails, and it also fails to check for a NULL pointer from a memory allocation. The function therefore can both mislead userspace into believing an operation succeeded and cause a kernel panic through a NULL dereference. This flaw would allow an attacker to trigger a denial of service but does not give any escalation of privileges or remote access.

Affected Systems

All versions of the Linux kernel that include the MSM driver before the commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d are vulnerable. Users need to check their running kernel against that commit; otherwise the kernel is considered affected. The vulnerability applies to the general Linux kernel, with no specific vendor distribution version range listed.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is less than 1 %, indicating a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local: an attacker must have access to a DRM device node such as /dev/dri/card0 and normal user privileges. Successful exploitation would result in a kernel panic or denial of service for all users on the affected system. No privilege escalation or remote compromise can be achieved.

Generated by OpenCVE AI on June 10, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds a NULL check and restores proper return semantics in msm_ioctl_gem_info_get_metadata() (commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d).
  • Upgrade to a kernel release that incorporates this commit, or to a distribution update that includes the fix.
  • If an immediate kernel upgrade is not possible, limit access to the DRM device nodes (e.g., /dev/dri/*) via udev rules or ACLs, or temporarily disable the MSM DRM driver until the patch can be applied.

Generated by OpenCVE AI on June 10, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-209
CWE-476

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-390
References

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-209
CWE-476

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call. Add the missing NULL check for kmemdup() and return ret instead of 0. Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret. Patchwork: https://patchwork.freedesktop.org/patch/714478/
Title drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:03:02.808Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46211

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:36.760

Modified: 2026-06-10T19:17:34.243

Link: CVE-2026-46211

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46211 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses
  • CWE-390

    Detection of Error Condition Without Action

  • CWE-476

    NULL Pointer Dereference