Impact
In the Linux kernel’s I915 DRM driver, the function sg_page() returned a struct page pointer rather than a void* pointer, causing incorrect scaling of pread/pwrite operations on physical buffer objects (BOs). When a non‑zero offset is supplied, the driver mistakenly accesses unintended portions of the BO, allowing a local application to read from or write to arbitrary memory regions. This flaw can lead to corruption of kernel data or disclosure of kernel contents, providing a path for privilege escalation.
Affected Systems
The vulnerability applies to systems running the Linux kernel on Intel GPUs that use physical mapping for overlay or cursor planes, specifically Gen3, 945G, and Lakeport platforms. Any system that has enabled these planes and is running a kernel version prior to the commit that fixed the scaling logic is potentially affected.
Risk and Exploitability
The flaw constitutes an out‑of‑bounds memory access (CWE‑787). Although no EPSS score is published and the issue is not in the CISA KEV catalog, the potential for kernel memory corruption and privilege escalation signifies a high integrity impact for impacted systems. Attackers require local access to the device file and must orchestrate pread/pwrite calls with offset values. Given the lack of mitigation information, the risk remains high for affected hardware until the kernel is updated.
OpenCVE Enrichment