Description
In the Linux kernel, the following vulnerability has been resolved:

drm: Replace old pointer to new idr

Commit 5e28b7b94408 introduced a logical error by failing to replace the
newly generated IDR pointer to old id's pointer at the correct location
within the "change handle" logic; this resulted in the issue reported by
syzbot [1].

Specifically, the new IDR object pointer is intended to replace the original
id's pointer during the normal execution flow.

Additionally, an unnecessary conditional check for the ret exit path has
been removed.

[1]
!RB_EMPTY_ROOT(&prime_fpriv->dmabufs)
WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833
Call Trace:
drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269
drm_file_free drivers/gpu/drm/drm_file.c:237 [inline]
drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290
drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logical error was introduced in the DRM subsystem of the Linux kernel. The bug causes a newly generated IDR object pointer to fail to replace the original ID's pointer in the change handle logic, leaving the old pointer in place. This leaves the kernel with an invalid or stale pointer that can be dereferenced, potentially resulting in memory corruption, a kernel panic, or even privilege escalation if an attacker can manipulate the affected DRM path.

Affected Systems

Linux kernel versions released before the inclusion of commit 5e28b7b94408 are vulnerable. The issue arises within the DRM prime buffer management code used by graphics drivers on any Linux distribution that ships the affected kernel. No specific vendor or product version ranges were listed in the CNA data and therefore the vulnerability applies broadly to all kernels containing the unpatched DRM logic.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, so the exact likelihood of exploitation cannot be quantified. The vulnerability is not in the CISA KEV catalog. Based on the description, the attack likely requires a component that can interact with the DRM subsystem, such as a user‑space graphics driver or a specially crafted file descriptor. An attacker with the ability to execute code in the context of a privileged DRM client could potentially trigger the invalid pointer usage to cause a crash or escalation. The exact path for an exploit is not detailed, but the logical nature of the bug suggests that exploitation would be harder to conduct than an obvious buffer overflow.

Generated by OpenCVE AI on June 24, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains commit 5e28b7b94408 or later, which resolves the IDR pointer replacement bug.
  • If an upgrade is not immediately possible, restrict untrusted access to DRM devices by using appropriate device permissions or disabling unused graphics drivers that interact with the DRM subsystem.
  • Configure the system to capture kernel crash dumps (kdump) and enable automated reboot or crash reporting so that unexpected kernel panics can be investigated and mitigated promptly.

Generated by OpenCVE AI on June 24, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-404
CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm: Replace old pointer to new idr Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438
Title drm: Replace old pointer to new idr
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:45.891Z

Reserved: 2026-06-09T07:44:35.374Z

Link: CVE-2026-52966

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:30:06Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release

  • CWE-416

    Use After Free