Description
In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure

When ttm_tt_swapout() fails, the current code calls
ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail()
to restore the resource's bulk_move membership.

However, ttm_resource_move_to_lru_tail() places the resource at the tail
of the LRU list which, relative to the walk cursor's hitch node (placed
immediately after the resource when it was yielded), puts the resource
*in front of the* the hitch. The next list_for_each_entry_continue() from
the hitch finds the same resource again, causing an infinite loop.

Fix by deferring del_bulk_move to the success path only.

On the success path, TTM_TT_FLAG_SWAPPED has just been set by
ttm_tt_swapout() but the resource is still tracked in the bulk_move range,
so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would
incorrectly skip the removal. Introduce
ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes an infinite loop during the swapout process of the DRM TTM allocator, which can lock the kernel and result in a denial of service. The loop occurs when a failed swapout attempts to restore bulk_move membership, placing the resource ahead of its own hitch node and leading the walk cursor to revisit the same resource repeatedly. The flaw is tied to internal resource management and does not directly expose data or provide remote code execution. Based on the description, the likely attack vector is local: an load or interact with DRM drivers, or with elevated kernel privileges, could trigger swapout failures and induce the loop.

Affected Systems

All Linux kernel installations that employ the DRM TTM subsystem are potentially impacted. The issue does not specify a particular kernel version, so any build of the Linux kernel that includes the drm/ttm component before the patch is vulnerable until the kernel is updated. Vendors should verify that their kernel releases incorporate the commit that defers the bulk_move deletion to the successful swapout path.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity vulnerability, and the EPSS score of <1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because it can cause a kernel freeze, the risk is significant for systems requiring high availability. Exploitation requires a local attacker with sufficient privileges to induce swapout failures or to load modified DRM modules, making a purely remote attack unlikely.

Generated by OpenCVE AI on June 26, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the DRM TTM swapout fix.
  • If upgrading is not immediately possible, consider disabling the DRM TTM module or limiting its use by removing hardware or software that relies on it.
  • Check kernel logs for indications of swapout failures and monitor system responsiveness for potential DoS symptoms.

Generated by OpenCVE AI on June 26, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-631

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-237
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-631

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
Title drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:45.090Z

Reserved: 2026-06-09T07:44:35.374Z

Link: CVE-2026-52965

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52965 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T05:30:17Z

Weaknesses
  • CWE-237

    Improper Handling of Structural Elements