CVE-2026-46247 - Vulnerability Details

- clk: qcom: gfx3d: add parent to parent request map

Description

In the Linux kernel, the following vulnerability has been resolved:

clk: qcom: gfx3d: add parent to parent request map

After commit d228ece36345 ("clk: divider: remove round_rate() in favor
of determine_rate()") determining GFX3D clock rate crashes, because the
passed parent map doesn't provide the expected best_parent_hw clock
(with the roundd_rate path before the offending commit the
best_parent_hw was ignored).

Set the field in parent_req in addition to setting it in the req,
fixing the crash.

clk_hw_round_rate (drivers/clk/clk.c:1764) (P)
clk_divider_bestdiv (drivers/clk/clk-divider.c:336)
divider_determine_rate (drivers/clk/clk-divider.c:358)
clk_alpha_pll_postdiv_determine_rate (drivers/clk/qcom/clk-alpha-pll.c:1275)
clk_core_determine_round_nolock (drivers/clk/clk.c:1606)
clk_core_round_rate_nolock (drivers/clk/clk.c:1701)
__clk_determine_rate (drivers/clk/clk.c:1741)
clk_gfx3d_determine_rate (drivers/clk/qcom/clk-rcg2.c:1268)
clk_core_determine_round_nolock (drivers/clk/clk.c:1606)
clk_core_round_rate_nolock (drivers/clk/clk.c:1701)
clk_core_round_rate_nolock (drivers/clk/clk.c:1710)
clk_round_rate (drivers/clk/clk.c:1804)
dev_pm_opp_set_rate (drivers/opp/core.c:1440 (discriminator 1))
msm_devfreq_target (drivers/gpu/drm/msm/msm_gpu_devfreq.c:51)
devfreq_set_target (drivers/devfreq/devfreq.c:360)
devfreq_update_target (drivers/devfreq/devfreq.c:426)
devfreq_monitor (drivers/devfreq/devfreq.c:458)
process_one_work (arch/arm64/include/asm/jump_label.h:36 include/trace/events/workqueue.h:110 kernel/workqueue.c:3284)
worker_thread (kernel/workqueue.c:3356 (discriminator 2) kernel/workqueue.c:3443 (discriminator 2))
kthread (kernel/kthread.c:467)
ret_from_fork (arch/arm64/kernel/entry.S:861)

Published: 2026-06-03

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel the Qualcomm GFX3D clock driver can crash during clock rate calculation when a required parent clock is missing. The bug stems from an incorrectly populated parent request map, resulting in a null pointer dereference in clk_hw_round_rate and related functions. The crash triggers a kernel panic that brings the entire system down, rendering it unavailable to users.

Affected Systems

All Linux kernel builds that include the Qualcomm GFX3D clock driver before the commit that introduces the correct parent mapping are affected. This includes kernel packages used by distributions and OEM firmware that ship with Qualcomm GPUs. The vulnerability is confined to the clk: qcom: gfx3d component of the clock subsystem and does not affect other drivers or kernels that omit that component.

Risk and Exploitability

Based on the description it is inferred that the attack vector is local, as an attacker would need to trigger a clock rate determination for the GFX3D driver, which normally occurs during GPU operation or kernel boot. The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% signals a very low probability of exploitation. The CVE is not included in the CISA KEV catalog. Because the flaw causes a null pointer dereference that leads to a kernel panic, the damage is a denial‑of‑service rather than remote code execution. If an attacker can execute privileged code on the machine or force the driver to load, they can induce the crash, but no remote trigger is documented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`55213e1acec9218580c90d36034aa0370a51daab`	affected	< 82cfe5292b11deb1dc33822f67f73cfbe8eafe25
`55213e1acec9218580c90d36034aa0370a51daab`	affected	< 547ae2f17349c7586953af5ef50de43ef3f65e9e
`55213e1acec9218580c90d36034aa0370a51daab`	affected	< 56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8
`55213e1acec9218580c90d36034aa0370a51daab`	affected	< aed53da569fb96eec09b4817b1953bcc2e467eea
`55213e1acec9218580c90d36034aa0370a51daab`	affected	< 8aa972eba1f29068d13bec716d33abca30fb3f2a
`55213e1acec9218580c90d36034aa0370a51daab`	affected	< 2583cb925ca1ce450aa5d74a05a67448db970193

Linux

affected

Version	Status	Constraints
`4.5`	affected	—
`0`	unaffected	< 4.5
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[55213e1acec9218580c90d36034aa0370a51daab,82cfe5292b11deb1dc33822f67f73cfbe8eafe25)`	affected	code_commit	—
`[55213e1acec9218580c90d36034aa0370a51daab,547ae2f17349c7586953af5ef50de43ef3f65e9e)`	affected	code_commit	—
`[55213e1acec9218580c90d36034aa0370a51daab,56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8)`	affected	code_commit	—
`[55213e1acec9218580c90d36034aa0370a51daab,aed53da569fb96eec09b4817b1953bcc2e467eea)`	affected	code_commit	—
`[55213e1acec9218580c90d36034aa0370a51daab,8aa972eba1f29068d13bec716d33abca30fb3f2a)`	affected	code_commit	—
`[55213e1acec9218580c90d36034aa0370a51daab,2583cb925ca1ce450aa5d74a05a67448db970193)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.5`	affected	generic	—
`[0,4.5)`	unaffected	generic	—
`[6.1.165,6.2.0)`	unaffected	generic	—
`[6.6.128,6.7.0)`	unaffected	generic	—
`[6.12.75,6.13.0)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	generic	—
`[6.19.4,7.0.0)`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit fixing the parent request map bug.
If a kernel upgrade is not immediately possible, apply the upstream patch that adds the correct parent mapping to the GFX3D driver before the round rate functions are invoked.
As a temporary mitigation, disable GPU frequency scaling or devfreq features to prevent the crash from being triggered.

Generated by OpenCVE AI on June 9, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00123.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2583cb925ca1ce450aa5d74a05a67448db970193
https://git.kernel.org/stable/c/547ae2f17349c7586953af5ef50de43ef3f65e9e
https://git.kernel.org/stable/c/56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8
https://git.kernel.org/stable/c/82cfe5292b11deb1dc33822f67f73cfbe8eafe25
https://git.kernel.org/stable/c/8aa972eba1f29068d13bec716d33abca30fb3f2a
https://git.kernel.org/stable/c/aed53da569fb96eec09b4817b1953bcc2e467eea
https://lore.kernel.org/linux-cve-announce/2026060333-CVE-2026-46247-4daa@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46247
https://www.cve.org/CVERecord?id=CVE-2026-46247

History

Tue, 09 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Thu, 04 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-209

Thu, 04 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026060333-CVE-2026-46247-4daa@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46247 https://www.cve.org/CVERecord?id=CVE-2026-46247
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 03 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-209 CWE-476

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gfx3d: add parent to parent request map After commit d228ece36345 ("clk: divider: remove round_rate() in favor of determine_rate()") determining GFX3D clock rate crashes, because the passed parent map doesn't provide the expected best_parent_hw clock (with the roundd_rate path before the offending commit the best_parent_hw was ignored). Set the field in parent_req in addition to setting it in the req, fixing the crash. clk_hw_round_rate (drivers/clk/clk.c:1764) (P) clk_divider_bestdiv (drivers/clk/clk-divider.c:336) divider_determine_rate (drivers/clk/clk-divider.c:358) clk_alpha_pll_postdiv_determine_rate (drivers/clk/qcom/clk-alpha-pll.c:1275) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) __clk_determine_rate (drivers/clk/clk.c:1741) clk_gfx3d_determine_rate (drivers/clk/qcom/clk-rcg2.c:1268) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) clk_core_round_rate_nolock (drivers/clk/clk.c:1710) clk_round_rate (drivers/clk/clk.c:1804) dev_pm_opp_set_rate (drivers/opp/core.c:1440 (discriminator 1)) msm_devfreq_target (drivers/gpu/drm/msm/msm_gpu_devfreq.c:51) devfreq_set_target (drivers/devfreq/devfreq.c:360) devfreq_update_target (drivers/devfreq/devfreq.c:426) devfreq_monitor (drivers/devfreq/devfreq.c:458) process_one_work (arch/arm64/include/asm/jump_label.h:36 include/trace/events/workqueue.h:110 kernel/workqueue.c:3284) worker_thread (kernel/workqueue.c:3356 (discriminator 2) kernel/workqueue.c:3443 (discriminator 2)) kthread (kernel/kthread.c:467) ret_from_fork (arch/arm64/kernel/entry.S:861)
Title		clk: qcom: gfx3d: add parent to parent request map
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2583cb925ca1ce450aa5d74a05a67448db970193 https://git.kernel.org/stable/c/547ae2f17349c7586953af5ef50de43ef3f65e9e https://git.kernel.org/stable/c/56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8 https://git.kernel.org/stable/c/82cfe5292b11deb1dc33822f67f73cfbe8eafe25 https://git.kernel.org/stable/c/8aa972eba1f29068d13bec716d33abca30fb3f2a https://git.kernel.org/stable/c/aed53da569fb96eec09b4817b1953bcc2e467eea

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-03T15:49:42.833Z

Updated: 2026-06-03T15:49:42.833Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46247

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-06-03T18:16:24.930

Modified: 2026-06-09T20:36:43.903

Link: CVE-2026-46247

Redhat

Severity : Low

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46247 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-09T23:15:16Z

Weaknesses

CWE-476
NULL Pointer Dereference
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object