PT-2026-44332 · Linux · Linux Kernel
Published
2026-05-28
·
Updated
2026-07-07
·
CVE-2026-46209
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 7.0.11-1.1
Description
An inconsistency exists in the calculation of sub-sampled plane dimensions within the
drm gem fb init with funcs() function. While the framebuffer check() function uses DIV ROUND UP() to round up dimensions, drm gem fb init with funcs() uses plain integer division. This discrepancy can lead to incorrect GEM object size checks for specific pixel formats and dimensions. For instance, with NV12 (vsub=2) and a 1-pixel-tall framebuffer, the height is calculated as 0 instead of 1, causing an unsigned integer wrap to UINT MAX. This results in a size overflow that allows a small GEM object to pass validation, potentially leading to out-of-bounds memory reads or writes when the GPU accesses the chroma plane.Recommendations
Update to version 7.0.11-1.1.
Exploit
Fix
DoS
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linux Kernel