CVE-2026-53068 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/komeda: fix integer overflow in AFBC framebuffer size check

The AFBC framebuffer size validation calculates the minimum required
buffer size by adding the AFBC payload size to the framebuffer offset.
This addition is performed without checking for integer overflow.

If the addition oveflows, the size check may incorrectly succed and
allow userspace to provide an undersized drm_gem_object, potentially
leading to out-of-bounds memory access.

Add usage of check_add_overflow() to safely compute the minimum
required size and reject the framebuffer if an overflow is detected.
This makes the AFBC size validation more robust against malformed.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel DRM Komeda driver, an integer overflow occurs when computing the minimum required buffer size for an AFBC framebuffer. The overflow causes the validation to incorrectly succeed, allowing userspace to supply an undersized drm_gem_object that can write beyond the intended memory region. This out-of-bounds write may corrupt kernel memory or crash the system, potentially enabling arbitrary code execution in kernel mode or causing a denial of service. The flaw stems from insufficient bounds checking during an arithmetic addition.

Affected Systems

The vulnerability exists in the Linux kernel, affecting any kernel build that contains the Komeda DRM driver before the patch that adds check_add_overflow. The vendor is Linux and the product is the Linux kernel; no specific version range is listed, so any kernel missing the fix is potentially vulnerable.

Risk and Exploitability

The EPSS score is not available, and the issue is not listed in KEV, leaving the public exploitation likelihood uncertain. Nonetheless, an integer overflow in a kernel driver suggests a high‑impact flaw triggered by local users who can open DRM devices. If exploited, an attacker could achieve kernel privilege escalation or destabilize the system via memory corruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< a3a2a9bdc0f9c2d863a5a290cb2d4a565f7268e7
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< e27b58095d7d3ac72f230e318838dee956258460
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< 02ff8a7d3d0eecc546b9ab4c07b3d7c65d485583
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< d8a541906860aa3519b1874780d933c766918a7c
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< 8165e8b28fdf392c2c7412518d602b4f193812a8
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< fe1f80f8f6e8611ac6349b9d464e8750443390cf
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< 872d923b852705054bc099af663da862fdc1097d
`65ad2392dd6d1691db93e82b08d3311298b9d64a`	affected	< 779ec12c85c9e4547519e3903a371a3b26a289de

Linux

affected

Version	Status	Constraints
`5.3`	affected	—
`0`	unaffected	< 5.3
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the Komeda driver patch, which adds overflow checking to the AFBC framebuffer size validation.
If a kernel update cannot be disable AFBC support in the kernel configuration or by using a boot‑time parameter to prevent the vulnerable functionality from being enabled.
Restrict access to DRM devices by limiting the active user group membership (e.g., drm group) and enforce SELinux/AppArmor policies to restrict which processes may open the affected devices.

Generated by OpenCVE AI on June 24, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02ff8a7d3d0eecc546b9ab4c07b3d7c65d485583
https://git.kernel.org/stable/c/779ec12c85c9e4547519e3903a371a3b26a289de
https://git.kernel.org/stable/c/8165e8b28fdf392c2c7412518d602b4f193812a8
https://git.kernel.org/stable/c/872d923b852705054bc099af663da862fdc1097d
https://git.kernel.org/stable/c/a3a2a9bdc0f9c2d863a5a290cb2d4a565f7268e7
https://git.kernel.org/stable/c/d8a541906860aa3519b1874780d933c766918a7c
https://git.kernel.org/stable/c/e27b58095d7d3ac72f230e318838dee956258460
https://git.kernel.org/stable/c/fe1f80f8f6e8611ac6349b9d464e8750443390cf

History

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-680

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/komeda: fix integer overflow in AFBC framebuffer size check The AFBC framebuffer size validation calculates the minimum required buffer size by adding the AFBC payload size to the framebuffer offset. This addition is performed without checking for integer overflow. If the addition oveflows, the size check may incorrectly succed and allow userspace to provide an undersized drm_gem_object, potentially leading to out-of-bounds memory access. Add usage of check_add_overflow() to safely compute the minimum required size and reject the framebuffer if an overflow is detected. This makes the AFBC size validation more robust against malformed. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title		drm/komeda: fix integer overflow in AFBC framebuffer size check
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02ff8a7d3d0eecc546b9ab4c07b3d7c65d485583 https://git.kernel.org/stable/c/779ec12c85c9e4547519e3903a371a3b26a289de https://git.kernel.org/stable/c/8165e8b28fdf392c2c7412518d602b4f193812a8 https://git.kernel.org/stable/c/872d923b852705054bc099af663da862fdc1097d https://git.kernel.org/stable/c/a3a2a9bdc0f9c2d863a5a290cb2d4a565f7268e7 https://git.kernel.org/stable/c/d8a541906860aa3519b1874780d933c766918a7c https://git.kernel.org/stable/c/e27b58095d7d3ac72f230e318838dee956258460 https://git.kernel.org/stable/c/fe1f80f8f6e8611ac6349b9d464e8750443390cf

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:10.140Z

Updated: 2026-06-24T16:30:10.140Z

Reserved: 2026-06-09T07:44:35.382Z

Link: CVE-2026-53068

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-680
Integer Overflow to Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object