CVE-2026-43368
Received Received - Intake
Integer Overflow in Linux Kernel i915 Driver

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may get overflowed if total byte length of pages allocated to that single scatterlist happens to reach or cross the 4GB limit. As a consequence, users of the object may suffer from hitting unexpected, premature end of the object's backing pages. [278.780187] ------------[ cut here ]------------ [278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915] ... [278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary) [278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024 [278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915] ... [278.780786] Call Trace: [278.780787] <TASK> [278.780788] ? __apply_to_page_range+0x3e6/0x910 [278.780795] ? __pfx_remap_sg+0x10/0x10 [i915] [278.780906] apply_to_page_range+0x14/0x30 [278.780908] remap_io_sg+0x14d/0x260 [i915] [278.781013] vm_fault_cpu+0xd2/0x330 [i915] [278.781137] __do_fault+0x3a/0x1b0 [278.781140] do_fault+0x322/0x640 [278.781143] __handle_mm_fault+0x938/0xfd0 [278.781150] handle_mm_fault+0x12c/0x300 [278.781152] ? lock_mm_and_find_vma+0x4b/0x760 [278.781155] do_user_addr_fault+0x2d6/0x8e0 [278.781160] exc_page_fault+0x96/0x2c0 [278.781165] asm_exc_page_fault+0x27/0x30 ... That issue was apprehended by the author of a change that introduced it, and potential risk even annotated with a comment, but then never addressed. When adding folio pages to a scatterlist table, take care of byte length of any single scatterlist not exceeding max_segment. (cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43368
EUVD
EUVD-2026-28674
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
intel linux_kernel *
intel linux_kernel 6.17.0-rc1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's drm/i915 driver, specifically related to the handling of scatterlists for GEM shmem objects.

When a scatterlist table for a GEM shmem object reaches or exceeds 4 GB in size, the unsigned int length attribute of a scatterlist can overflow. This overflow occurs because the total byte length of pages allocated to a single scatterlist crosses the 4 GB limit.

As a result, users of the object may experience an unexpected and premature end of the object's backing pages, potentially causing issues in memory management or GPU operations.

The vulnerability was introduced by a previous change and was noted but not fixed until this update, which ensures that the byte length of any single scatterlist does not exceed the maximum segment size.


How can this vulnerability impact me? :

This vulnerability can cause an overflow in the scatterlist length attribute, leading to an unexpected premature end of the backing pages for a GEM shmem object.

Such an overflow may result in memory management errors or instability in GPU-related operations that rely on these scatterlists.

In practical terms, this could cause system crashes, data corruption, or unexpected behavior in applications using the affected graphics driver.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability may be detected by monitoring kernel logs for specific warning messages related to the i915 driver. Look for warnings indicating a potential overflow in the scatterlist length, such as messages containing 'WARNING: CPU' and references to 'remap_sg' in the i915 driver.

You can use the following command to check the kernel log for such warnings:

  • dmesg | grep -i 'WARNING.*i915'
  • journalctl -k | grep -i 'WARNING.*i915'

These commands search for warning messages in the kernel logs that may indicate the presence of this vulnerability being triggered.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the overflow of the shmem scatterlist length in the i915 driver.

The fix ensures that when adding folio pages to a scatterlist table, the byte length of any single scatterlist does not exceed the maximum segment size, preventing overflow.

Until the kernel is updated, monitor kernel logs for warning messages related to this issue and avoid workloads that may allocate scatterlists of 4 GB or more in size.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart