CVE-2026-23149

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()

Since GEM bo handles are u32 in the uapi and the internal implementation uses idr_alloc() which uses int ranges, passing a new handle larger than INT_MAX trivially triggers a kernel warning:

idr_alloc(): … if (WARN_ON_ONCE(start < 0)) return -EINVAL; …

Fix it by rejecting new handles above INT_MAX and at the same time make the end limit calculation more obvious by moving into int domain.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux53096728b8910c6916ecc6c46a5abc5c678b58d9 < ae8831ee0fb2f5f41f39722e7b3749d65bb78d08affected
LinuxLinux53096728b8910c6916ecc6c46a5abc5c678b58d9 < 12f15d52d38ac53f7c70ea3d4b3d76afed04e064affected
LinuxLinux6.18affected
LinuxLinux0 < 6.18unaffected
LinuxLinux6.18.9 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References