CVE-2026-46314 - Vulnerability Details

- drm/v3d: Reject empty multisync extension to prevent infinite loop

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Reject empty multisync extension to prevent infinite loop

v3d_get_extensions() walks a userspace-provided singly-linked list of
ioctl extensions without any bound on the chain length. A local user
can craft a self-referential extension (ext->next == &ext) with zero
in_sync_count and out_sync_count, which bypasses the existing duplicate-
extension guard:

if (se->in_sync_count || se->out_sync_count)
return -EINVAL;

The guard never fires because v3d_get_multisync_post_deps() returns
immediately when count is zero, leaving both fields at zero on every
iteration. The result is an infinite loop in kernel context, blocking
the calling thread and pegging a CPU core indefinitely.

Fix this by rejecting a multisync extension where both in_sync_count
and out_sync_count are zero in v3d_get_multisync_submit_deps(). An
empty multisync carries no synchronization information and serves no
useful purpose, so returning -EINVAL for such an extension is the
correct defense against this attack vector.

Published: 2026-06-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability occurs in the Linux kernel’s drm/v3d driver when a local user crafts an ioctl extension that creates a self‑referential singly‑linked list. Because the driver does not bound the list length, an extension with both in_sync_count and out_sync_count set to zero bypasses existing validation checks and causes the kernel to walk an infinite loop. This lack of input validation is a CWE‑606 vulnerability. The loop blocks the calling thread and can pin a CPU core indefinitely, effectively exhausting kernel resources for that thread.

Affected Systems

The bug affects all Linux kernel releases that contain the unpatched drm/v3d driver. Specific version numbers are not supplied in the advisory, so any kernel built before the patch should be considered vulnerable.

Risk and Exploitability

The CVSS score is not provided and the EPSS is unavailable; the vulnerability is not listed in CISA KEV. The attack requires local privilege to invoke the relevant ioctl, so a compromised or untrusted user on the system can intentionally trigger the denial of service. The loop runs in kernel mode and does not involve network exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e4165ae8304e5ea822fbe5909dd3be5445c058b7`	affected	< 4fa42a249e8cd6ed17aea04e5695b6e9001f2433
`e4165ae8304e5ea822fbe5909dd3be5445c058b7`	affected	< 9c5164781cb388d219d8f49fa0f0b04cf86ad544
`e4165ae8304e5ea822fbe5909dd3be5445c058b7`	affected	< fb44d589bf3148e13452185a6e772a7efbf2d684

Linux

affected

Version	Status	Constraints
`5.16`	affected	—
`0`	unaffected	< 5.16
`6.18.33`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e4165ae8304e5ea822fbe5909dd3be5445c058b7,4fa42a249e8cd6ed17aea04e5695b6e9001f2433)`	affected	code_commit	—
`[e4165ae8304e5ea822fbe5909dd3be5445c058b7,9c5164781cb388d219d8f49fa0f0b04cf86ad544)`	affected	code_commit	—
`[e4165ae8304e5ea822fbe5909dd3be5445c058b7,fb44d589bf3148e13452185a6e772a7efbf2d684)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.16`	affected	generic	—
`[0,5.16)`	unaffected	generic	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a patched release that rejects empty multisync extensions in the drm/v3d driver.
If a quick kernel update is not possible, restrict access to the DRM ioctl so that only privileged users can issue multisync requests.
As a temporary measure, modify any user‑space applications that use drm/v3d to validate sync counts and avoid sending extensions with zero in_sync_count and out_sync_count.

Generated by OpenCVE AI on June 9, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4fa42a249e8cd6ed17aea04e5695b6e9001f2433
https://git.kernel.org/stable/c/9c5164781cb388d219d8f49fa0f0b04cf86ad544
https://git.kernel.org/stable/c/fb44d589bf3148e13452185a6e772a7efbf2d684
https://lore.kernel.org/linux-cve-announce/2026060854-CVE-2026-46314-2b40@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46314
https://www.cve.org/CVERecord?id=CVE-2026-46314

History

Tue, 09 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-606
References		https://lore.kernel.org/linux-cve-announce/2026060854-CVE-2026-46314-2b40@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46314 https://www.cve.org/CVERecord?id=CVE-2026-46314

Mon, 08 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Reject empty multisync extension to prevent infinite loop v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count \|\| se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector.
Title		drm/v3d: Reject empty multisync extension to prevent infinite loop
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4fa42a249e8cd6ed17aea04e5695b6e9001f2433 https://git.kernel.org/stable/c/9c5164781cb388d219d8f49fa0f0b04cf86ad544 https://git.kernel.org/stable/c/fb44d589bf3148e13452185a6e772a7efbf2d684

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-08T15:50:45.305Z

Updated: 2026-06-08T15:50:45.305Z

Reserved: 2026-05-13T15:03:33.111Z

Link: CVE-2026-46314

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T17:16:50.430

Modified: 2026-06-08T17:16:50.430

Link: CVE-2026-46314

Redhat

Severity :

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46314 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-09T02:45:36Z

Weaknesses

CWE-606

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object