CVE-2026-46209
Received Received - Intake
Integer Division Flaw in Linux Kernel DRM GEM Plane Calculation

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46209
EUVD
EUVD-2026-32836
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically in the function drm_gem_fb_init_with_funcs(). The function calculates sub-sampled plane dimensions using plain integer division, which is inconsistent with another part of the code (framebuffer_check()) that uses a rounding-up method (DIV_ROUND_UP()).

Because of this inconsistency, the size check for certain pixel formats and framebuffer dimensions can be corrupted. For example, with the NV12 pixel format and a 1-pixel-tall framebuffer, the height calculation results in zero instead of one. This causes an unsigned integer underflow and an overflow in the minimum size calculation, allowing a very small GEM object to pass the size validation.

As a result, when the GPU accesses the chroma plane, it may read or write memory beyond the allocated object's bounds, potentially leading to memory corruption.


How can this vulnerability impact me? :

This vulnerability can lead to out-of-bounds memory access by the GPU when handling certain framebuffer formats and dimensions. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the corrupted memory.


What immediate steps should I take to mitigate this vulnerability?

This vulnerability in the Linux kernel's DRM subsystem is caused by inconsistent plane dimension calculations leading to potential memory corruption.

To mitigate this vulnerability, you should update your Linux kernel to a version where the drm_gem_fb_init_with_funcs() function has been fixed to use drm_format_info_plane_width() and drm_format_info_plane_height() with DIV_ROUND_UP() for consistent dimension calculations.

Applying the latest kernel patches or upgrading to a kernel version released after 2026-05-28, when this fix was published, is the recommended immediate step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart