CVE-2026-43236
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel DRM atmel-hlcdc Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state structure without properly duplicating the drm_plane_state. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drm_atomic_commit() call. Fix this by calling __drm_atomic_helper_duplicate_plane_state(), which correctly clones the base drm_plane_state (including the ->commit pointer). It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached: ============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten ----------------------------------------------------------------------------- 0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0 pid=29 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_framebuffer_remove+0x4cc/0x5a8 drm_mode_rmfb_work_fn+0x6c/0x80 process_one_work+0x12c/0x2cc worker_thread+0x2a8/0x400 kthread+0xc0/0xdc ret_from_fork+0x14/0x28 Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0 pid=169 drm_atomic_helper_commit_hw_done+0x100/0x150 drm_atomic_helper_commit_tail+0x64/0x8c commit_tail+0x168/0x18c drm_atomic_helper_commit+0x138/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43236
EUVD
EUVD-2026-27797
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's drm/atmel-hlcdc driver. Specifically, the atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the plane state structure without properly duplicating the drm_plane_state. As a result, the commit pointer in the state structure remained pointing to an old, freed commit, which can lead to a use-after-free error during the next drm_atomic_commit() call.

The problem occurs when closing and reopening the device node while another DRM client, such as fbdev, is still attached. The fix involved correctly cloning the base drm_plane_state, including the commit pointer, by calling __drm_atomic_helper_duplicate_plane_state().


How can this vulnerability impact me? :

This use-after-free vulnerability can lead to memory corruption in the Linux kernel's graphics subsystem. Such corruption may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited.

The issue arises when device nodes are closed and reopened while other DRM clients remain attached, which could be triggered by normal user actions or maliciously crafted inputs.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a use-after-free error in the Linux kernel's DRM subsystem, specifically related to the atmel_hlcdc driver. Detection can be done by monitoring kernel logs for error messages indicating use-after-free or memory corruption related to drm_atomic_commit or drm_crtc_commit.

You can check the kernel logs using commands such as:

  • dmesg | grep -i drm
  • journalctl -k | grep -i drm
  • grep -i 'use-after-free' /var/log/kern.log

Look for messages similar to "BUG kmalloc-64 (Not tainted): Poison overwritten" or stack traces involving drm_atomic_commit and drm_atomic_helper_commit functions.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been fixed by properly duplicating the drm_plane_state in the atmel_hlcdc driver to avoid use-after-free conditions.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid closing and reopening the device node of the atmel_hlcdc DRM device while other DRM clients (such as fbdev) are still attached.
  • Monitor kernel logs for related errors and avoid workloads that trigger the vulnerable code path until patched.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart