CVE-2026-52966
Analyzed Analyzed - Analysis Complete

Use-After-Free in Linux Kernel DRM Subsystem

Vulnerability report for CVE-2026-52966, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: drm: Replace old pointer to new idr Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 6.18.32
linux linux_kernel 7.0.9

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves a logical error introduced by a commit that failed to properly replace a newly generated IDR pointer with the old IDR pointer in the "change handle" logic. Specifically, the new IDR object pointer was supposed to replace the original pointer during normal execution, but this replacement did not occur correctly.

As a result, this caused issues related to the management of DRM (Direct Rendering Manager) resources, as indicated by warnings and call traces in the drm_prime_destroy_file_private function. Additionally, an unnecessary conditional check was removed to clean up the code.

Impact Analysis

This vulnerability in the Linux kernel involves a logical error in the DRM subsystem where a newly generated IDR pointer was not correctly replaced with the old IDR pointer during the 'change handle' logic. This could potentially lead to improper handling of GPU-related resources.

The impact may include instability or unexpected behavior in graphics device management, possibly causing resource leaks or crashes related to GPU buffer management.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart