CVE-2026-46211 - Vulnerability Details

- drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()

msm_ioctl_gem_info_get_metadata() always returns 0 regardless of
errors. When copy_to_user() fails or the user buffer is too small,
the error code stored in ret is ignored because the function
unconditionally returns 0. This causes userspace to believe the
ioctl succeeded when it did not.

Additionally, kmemdup() can return NULL on allocation failure, but
the return value is not checked. This leads to a NULL pointer
dereference in the subsequent copy_to_user() call.

Add the missing NULL check for kmemdup() and return ret instead of 0.

Note that the SET counterpart (msm_ioctl_gem_info_set_metadata)
correctly returns ret.

Patchwork: https://patchwork.freedesktop.org/patch/714478/

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel driver msm_ioctl_gem_info_get_metadata() in the DRM/msm subsystem fails to propagate error codes when copy_to_user() fails or when the user buffer is too small, always returning 0 regardless of underlying errors. In addition, the function does not check if kmemdup() returns NULL on allocation failure, which leads to a NULL pointer dereference during copy_to_user(). These bugs cause kernel modules to crash or misreport success, enabling an attacker to trigger a kernel panic through a local ioctl request. The primary security impact is a denial of service due to the kernel crash, and the erroneous success return may mislead callers about the state of the metadata.

Affected Systems

Affected deployments include all Linux kernels that incorporate the MSM DRM driver before the patch that adds null checks and correct return semantics. The patch applied in the Linux kernel repository at commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d addresses the issue. No specific version ranges are disclosed in the advisory; therefore any kernel earlier than the commit that implements the fix is considered vulnerable.

Risk and Exploitability

The CVSS score is not provided, and the EPSS value is unavailable, so the exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. An attacker would need access to the DRM device (e.g., /dev/dri or similar) and the ability to invoke the ioctl, which is typically possible for local users on shared systems. Because the bug leads to a kernel crash, it is a high‑consequence vulnerability but may be limited by the need for privileged access to the device and lack of remote attack surface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9902cb999e4e913d98e8afe4b36c08e4a793e1ce`	affected	< 697e1a9559f6962f999cc4c748c2ffffcc0a7a7a
`9902cb999e4e913d98e8afe4b36c08e4a793e1ce`	affected	< c57c861956b89f2e2528e6384d51e2dedd915809
`9902cb999e4e913d98e8afe4b36c08e4a793e1ce`	affected	< b079e85c91f446f29e808d8291189e897f1884ff
`9902cb999e4e913d98e8afe4b36c08e4a793e1ce`	affected	< 47cbfe2608314b833ad61a65827d8fb363bc2d2d

Linux

affected

Version	Status	Constraints
`6.8`	affected	—
`0`	unaffected	< 6.8
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9902cb999e4e913d98e8afe4b36c08e4a793e1ce,697e1a9559f6962f999cc4c748c2ffffcc0a7a7a)`	affected	code_commit	—
`[9902cb999e4e913d98e8afe4b36c08e4a793e1ce,c57c861956b89f2e2528e6384d51e2dedd915809)`	affected	code_commit	—
`[9902cb999e4e913d98e8afe4b36c08e4a793e1ce,b079e85c91f446f29e808d8291189e897f1884ff)`	affected	code_commit	—
`[9902cb999e4e913d98e8afe4b36c08e4a793e1ce,47cbfe2608314b833ad61a65827d8fb363bc2d2d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.8`	affected	generic	—
`[0,6.8)`	unaffected	generic	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*)`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel patch that checks kmemdup() return values and propagates error codes for msm_ioctl_gem_info_get_metadata()
Upgrade the Linux kernel to a release that includes commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d or an equivalent distribution update
If an upgrade cannot be performed immediately, restrict access to the DRM device nodes or disable the MSM DRM driver to prevent the vulnerable ioctl from being invoked

Generated by OpenCVE AI on May 28, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/47cbfe2608314b833ad61a65827d8fb363bc2d2d
https://git.kernel.org/stable/c/697e1a9559f6962f999cc4c748c2ffffcc0a7a7a
https://git.kernel.org/stable/c/b079e85c91f446f29e808d8291189e897f1884ff
https://git.kernel.org/stable/c/c57c861956b89f2e2528e6384d51e2dedd915809

History

Thu, 28 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-209 CWE-476

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call. Add the missing NULL check for kmemdup() and return ret instead of 0. Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret. Patchwork: https://patchwork.freedesktop.org/patch/714478/
Title		drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/47cbfe2608314b833ad61a65827d8fb363bc2d2d https://git.kernel.org/stable/c/697e1a9559f6962f999cc4c748c2ffffcc0a7a7a https://git.kernel.org/stable/c/b079e85c91f446f29e808d8291189e897f1884ff https://git.kernel.org/stable/c/c57c861956b89f2e2528e6384d51e2dedd915809

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:28.890Z

Updated: 2026-05-28T09:40:28.890Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46211

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:36.760

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46211

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T15:15:19Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object