CVE-2026-53145
Received Received - Intake
Race Condition in Linux Kernel DRM GEM Handle Management

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/gem: Try to fix change_handle ioctl, attempt 4 [airlied: just added some comments on how to reenable] On-list because the cat is out of the bag and we're clearly not good enough to figure this out in private. The story thus far: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle") tried to fix a race condition between the gem_close and gem_change_handle ioctls, but got a few things wrong: - There's a confusion with the local variable handle, which is actually the new handle, and so the two-stage trick was actually applied to the wrong idr slot. 7164d78559b0 ("drm/gem: fix race between change_handle and handle_delete") tried to fix that by adding yet another code block, but forgot to add the error handling. Which meant we now have two paths, both kinda wrong. - dc366607c41c ("drm: Replace old pointer to new idr") tried to apply another fix, but inconsistently, again because of the handle confusion - this would be the right fix (kinda, somewhat, it's a mess) if we'd do the two-stage approach for the new handle. Except that wasn't the intent of the original fix. We also didn't have an igt merged for the original ioctl, which is a big no-go. This was attempted to address off-list in the original bugfix, and amd QA people claimed the bug was fixed now. Very clearly that's not the case. Here's my attempt to sort this out: - Rename the local variable to new_handle, the old aliasing with args->handle is just too dangerously confusing. - Merge the gem obj lookup with the two-stage idr_replace so that we avoid getting ourselves confused there. - This means we don't have a surplus temporary reference anymore, only an inherited from the idr. A concurrent gem_close on the new_handle could steal that. Fix that with the same two-stage approach create_tail uses. This is a bit overkill as documented in the comment, but I also don't trust my ability to understand this all correctly, so go with the established pattern we have from other ioctls instead for maximum paranoia. - Adjust error paths. I've tried to make the error and success paths common, because they are identical except for which handle is removed and on which we call idr_replace to (re)install the object again. But that made things messier to read, so I've left it at the more verbose version, which unfortunately hides the symmetry in the entire code flow a bit. - While at it, also replace the 7 space indent with 1 tab. And finally, because I flat out don't trust my abilities here at all anymore: - Disable the ioctl until we have the igt situation and everything else sorted out on-list and with full consensus. v2: Sashiko noticed that I didn't handle the error path for idr_replace correctly, it must be checked with IS_ERR_OR_NULL like in gem_handle_delete. So yeah, definitely should just the existing paths 1:1 because this is endless amounts of tricky. Also add the Fixes: line for the original ioctl, I forgot that too.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53145
EUVD
EUVD-2026-39236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically in the gem (Graphics Execution Manager) change_handle ioctl function. The issue arises from confusion and incorrect handling of handles (identifiers for graphics objects) during concurrent operations between gem_close and gem_change_handle ioctls. Multiple attempted fixes introduced further complexity and errors, such as incorrect variable usage, missing error handling, and inconsistent application of a two-stage replacement approach. The vulnerability involves mishandling of object references and idr slots, which could lead to unstable or incorrect behavior in the kernel's graphics memory management.

The developers attempted several fixes to address the race condition, including renaming variables for clarity, merging object lookups with idr replacements, and applying a two-stage approach to avoid temporary reference issues. However, due to the complexity and difficulty in fully understanding the problem, the ioctl was disabled until proper testing and consensus could be achieved.

Impact Analysis

This vulnerability could lead to race conditions in the Linux kernel's graphics memory management, potentially causing instability or unexpected behavior in graphics-related operations. If exploited or triggered, it might result in improper handling of graphics object references, which could cause crashes, memory corruption, or denial of service in systems using the affected kernel versions.

Mitigation Strategies

The vulnerability involves a race condition in the Linux kernel's drm/gem subsystem related to the change_handle ioctl.

Immediate mitigation steps include disabling the affected ioctl until a proper fix with full consensus and testing (including igt tests) is available.

Applying the updated kernel patch that renames variables for clarity, merges gem object lookup with idr_replace, fixes error handling, and uses a two-stage approach to avoid race conditions is necessary once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart