CVE-2026-23149
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()
Since GEM bo handles are u32 in the uapi and the internal implementation uses idr_alloc() which uses int ranges, passing a new handle larger than INT_MAX trivially triggers a kernel warning:
idr_alloc(): … if (WARN_ON_ONCE(start < 0)) return -EINVAL; …
Fix it by rejecting new handles above INT_MAX and at the same time make the end limit calculation more obvious by moving into int domain.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 53096728b8910c6916ecc6c46a5abc5c678b58d9 < ae8831ee0fb2f5f41f39722e7b3749d65bb78d08 | affected |
| Linux | Linux | 53096728b8910c6916ecc6c46a5abc5c678b58d9 < 12f15d52d38ac53f7c70ea3d4b3d76afed04e064 | affected |
| Linux | Linux | 6.18 | affected |
| Linux | Linux | 0 < 6.18 | unaffected |
| Linux | Linux | 6.18.9 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/ae8831ee0fb2f5f41f39722e7b3749d65bb78d08
- https://git.kernel.org/stable/c/12f15d52d38ac53f7c70ea3d4b3d76afed04e064
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.