Description
In the Linux kernel, the following vulnerability has been resolved:

drm: Set old handle to NULL before prime swap in change_handle

There was a potential race condition in change_handle. The ioctl
briefly had a single object with two idr entries; a concurrent
gem_close could delete the object and remove one of the handles
while leaving the other one dangling, which could subsequently
be dereferenced for a use-after-free.

To fix this, do the same dance that gem_close itself does.
(f6cd7daecff5 drm: Release driver references to handle before making it available again)
First idr_replace the old handle to NULL. Later, if the prime
operations are successful, actually close it.

create_tail required a similar dance to avoid a similar problem.
(bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail())
It idr_allocs the new handle with NULL, then swaps in the correct
object later to avoid races. We don't need to do that here, since
the only operations that could race are drm_prime, and
change_handle holds the prime lock for the entire duration.

v2: cleanups of error paths
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel DRM subsystem, the change_handle function fails to nullify an old handle before swapping it during a prime operation. The flaw is a race condition classified as CWE‑416. If a concurrent gem_close removes the object, the remaining handle points to freed memory. If the kernel later dereferences this dangling pointer, a use‑after‑free occurs that can corrupt kernel memory, potentially enabling kernel crashes or privilege escalation. The flaw arises from improper synchronization between change_handle and gem_close and is similar to related race conditions addressed in other commit logs.

Affected Systems

All systems running the Linux kernel with the DRM subsystem enabled are potentially affected. The vulnerability exists in any kernel version that has not yet incorporated the commit that nullifies the old handle (f6cd7d). Because the CPE refers to the generic Linux kernel, it applies to all mainstream Linux distributions prior to the fix.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity, and the EPSS score is <1%, suggesting a low probability of exploitation. The likely attack vector is local access to invoke the vulnerable DRM ioctl; remote exploitation is improbable without a prior local foothold. The vulnerability is not listed in CISA KEV, meaning no publicly documented exploits yet, yet kernel corruption can lead to privilege escalation or denial of service. The risk of exploitation is therefore high for environments with unpatched kernels, especially those exposing DRM functionality to untrusted users.

Generated by OpenCVE AI on June 10, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Linux kernel version that includes the f6cd7d commit that nullifies the old handle before the prime swap (e.g., the newest stable release from your distribution).
  • Reboot the system to load the updated kernel.
  • If a patch cannot be applied immediately, disable or restrict DRM operations for untrusted users by adjusting access controls or unloading the drm module.

Generated by OpenCVE AI on June 10, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm: Set old handle to NULL before prime swap in change_handle There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free. To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it. create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration. v2: cleanups of error paths
Title drm: Set old handle to NULL before prime swap in change_handle
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:03:19.611Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46215

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:37.147

Modified: 2026-06-10T19:16:11.360

Link: CVE-2026-46215

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46215 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:45:40Z

Weaknesses