PT-2026-44338 · Linux · Linux Kernel

Published

2026-04-12

·

Updated

2026-07-12

·

CVE-2026-46215

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions 6.18-rc1 through 7.0
Description A use-after-free issue exists in the Direct Rendering Manager (DRM) GEM subsystem due to a race condition in the change handle() function. The ioctl briefly associates a single object with two idr entries; if a concurrent gem close() function deletes the object and removes one handle, the other remains dangling. This dangling handle can subsequently be dereferenced, allowing a local unprivileged user to escalate privileges to root. Technical exploitation involves reallocating the freed memory as a pipe buffer array to perform a Dirty Pipe attack by setting the PIPE BUF FLAG CAN MERGE flag.
Recommendations Update the Linux kernel to version 7.1 or later. As a temporary mitigation, restrict access to DRM render nodes for unprivileged users.

Exploit

Fix

LPE

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09285
CVE-2026-46215
OPENSUSE-SU-2026:10954-1

Affected Products

Linux Kernel