Description
In the Linux kernel, the following vulnerability has been resolved:

drm: Set old handle to NULL before prime swap in change_handle

There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and remove one of the handles
while leaving the other one dangling, which could subsequently
be dereferenced for a use-after-free.

To fix this, do the same dance that gem_close itself does.
(f6cd7daecff5 drm: Release driver references to handle before making it available again)
First idr_replace the old handle to NULL. Later, if the prime
operations are successful, actually close it.

create_tail required a similar dance to avoid a similar problem.
(bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail())
It idr_allocs the new handle with NULL, then swaps in the correct
object later to avoid races. We don't need to do that here, since
the only operations that could race are drm_prime, and
change_handle holds the prime lock for the entire duration.

v2: cleanups of error paths
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel DRM subsystem, the change_handle function fails to nullify an old handle before swapping it during a prime operation. If a concurrent gem_close removes the object, the remaining handle points to freed memory. If the kernel later dereferences this dangling pointer, a use‑after‑free occurs that can corrupt kernel memory, potentially enabling arbitrary code execution or a kernel crash. The flaw arises from improper synchronization between change_handle and gem_close and is analogous to related race conditions addressed in other commit logs.

Affected Systems

All systems running the Linux kernel with the DRM subsystem enabled are potentially affected. The vulnerability exists in any kernel version that has not yet incorporated the commit that nullifies the old handle (f6cd7d). Because the CPE refers to the generic Linux kernel, it applies to all mainstream Linux distributions prior to the fix.

Risk and Exploitability

The CVSS score is not provided and EPSS is unavailable, but the nature of a use‑after‑free in kernel space indicates high severity. Attackers would need local access to trigger the vulnerable DRM ioctl; remote exploitation is unlikely without prior local foothold. The vulnerability is not listed in CISA KEV, meaning no publicly documented exploits yet, yet kernel corruption can lead to privilege escalation or denial of service. The risk of exploitation is therefore high for environments with unpatched kernels, especially those exposing DRM functionality to untrusted users.

Generated by OpenCVE AI on May 28, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Linux kernel version that includes the f6cd7d commit that nullifies the old handle before the prime swap (e.g., the newest stable release from your distribution).
  • Reboot the system to load the updated kernel.
  • If a patch cannot be applied immediately, disable or restrict DRM operations for untrusted users by adjusting access controls or unloading the drm module.

Generated by OpenCVE AI on May 28, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm: Set old handle to NULL before prime swap in change_handle There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free. To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it. create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration. v2: cleanups of error paths
Title drm: Set old handle to NULL before prime swap in change_handle
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:40:32.050Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46215

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:37.147

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:15:22Z

Weaknesses

No weakness.