PT-2026-44338 · Linux · Linux Kernel
Published
2026-04-12
·
Updated
2026-07-12
·
CVE-2026-46215
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions 6.18-rc1 through 7.0
Description
A use-after-free issue exists in the Direct Rendering Manager (DRM) GEM subsystem due to a race condition in the
change handle() function. The ioctl briefly associates a single object with two idr entries; if a concurrent gem close() function deletes the object and removes one handle, the other remains dangling. This dangling handle can subsequently be dereferenced, allowing a local unprivileged user to escalate privileges to root. Technical exploitation involves reallocating the freed memory as a pipe buffer array to perform a Dirty Pipe attack by setting the PIPE BUF FLAG CAN MERGE flag.Recommendations
Update the Linux kernel to version 7.1 or later.
As a temporary mitigation, restrict access to DRM render nodes for unprivileged users.
Exploit
Fix
LPE
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linux Kernel