PT-2026-44332 · Linux · Linux Kernel

Published

2026-05-28

·

Updated

2026-07-07

·

CVE-2026-46209

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 7.0.11-1.1
Description An inconsistency exists in the calculation of sub-sampled plane dimensions within the drm gem fb init with funcs() function. While the framebuffer check() function uses DIV ROUND UP() to round up dimensions, drm gem fb init with funcs() uses plain integer division. This discrepancy can lead to incorrect GEM object size checks for specific pixel formats and dimensions. For instance, with NV12 (vsub=2) and a 1-pixel-tall framebuffer, the height is calculated as 0 instead of 1, causing an unsigned integer wrap to UINT MAX. This results in a size overflow that allows a small GEM object to pass validation, potentially leading to out-of-bounds memory reads or writes when the GPU accesses the chroma plane.
Recommendations Update to version 7.0.11-1.1.

Exploit

Fix

DoS

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:34911
ALSA-2026:36018
ALSA-2026:36348
ALSA-2026:36349
CVE-2026-46209
ECHO-9BD7-FC16-8F85
OESA-2026-2673
OESA-2026-2674
OPENSUSE-SU-2026:10954-1
RHSA-2026:34911
SUSE-SU-2026:22108-1
SUSE-SU-2026:22137-1
SUSE-SU-2026:22433-1
SUSE-SU-2026:22458-1
SUSE-SU-2026:2482-1
SUSE-SU-2026:2591-1
SUSE-SU-2026:2632-1

Affected Products

Linux Kernel