Description
In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: Fix phys BO pread/pwrite with offset

sg_page() returns struct page pointer not (void *) so the scaling
of pread/pwrite is wrong for phys BO and wrong parts of BO would be
accessed if non-zero offset is used.

Last impacted platform with overlay or cursor planes using phys
mapping was Gen3/945G/Lakeport.

(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Published: 2026-07-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s I915 DRM driver, the function sg_page() returned a struct page pointer rather than a void* pointer, causing incorrect scaling of pread/pwrite operations on physical buffer objects (BOs). When a non‑zero offset is supplied, the driver mistakenly accesses unintended portions of the BO, allowing a local application to read from or write to arbitrary memory regions. This flaw can lead to corruption of kernel data or disclosure of kernel contents, providing a path for privilege escalation.

Affected Systems

The vulnerability applies to systems running the Linux kernel on Intel GPUs that use physical mapping for overlay or cursor planes, specifically Gen3, 945G, and Lakeport platforms. Any system that has enabled these planes and is running a kernel version prior to the commit that fixed the scaling logic is potentially affected.

Risk and Exploitability

The flaw constitutes an out‑of‑bounds memory access (CWE‑787). Although no EPSS score is published and the issue is not in the CISA KEV catalog, the potential for kernel memory corruption and privilege escalation signifies a high integrity impact for impacted systems. Attackers require local access to the device file and must orchestrate pread/pwrite calls with offset values. Given the lack of mitigation information, the risk remains high for affected hardware until the kernel is updated.

Generated by OpenCVE AI on July 1, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that includes commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6 to resolve the incorrect offset scaling in the I915 driver.
  • Reboot the system after upgrading to ensure the new kernel is in use.
  • If immediate kernel upgrade is not feasible, avoid using non‑zero offset pread/pwrite on physical buffer objects and, if possible, disable GPU overlay or cursor planes that rely on physical mapping through kernel parameters or driver configuration.

Generated by OpenCVE AI on July 1, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Fix phys BO pread/pwrite with offset sg_page() returns struct page pointer not (void *) so the scaling of pread/pwrite is wrong for phys BO and wrong parts of BO would be accessed if non-zero offset is used. Last impacted platform with overlay or cursor planes using phys mapping was Gen3/945G/Lakeport. (cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Title drm/i915/gem: Fix phys BO pread/pwrite with offset
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:31.428Z

Reserved: 2026-06-09T07:44:35.400Z

Link: CVE-2026-53356

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T20:15:04Z

Weaknesses