SB2026052986 - Integer overflow in Linux kernel gpu drm driver
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Integer overflow (CVE-ID: CVE-2026-46209)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform out-of-bounds read or write operations.
The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.
The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d
- https://git.kernel.org/stable/c/1da4ab7189f1064b3b712b388772c008b4d82580
- https://git.kernel.org/stable/c/3d4c2268bd7243c3780fe32bf24ff876da272acf
- https://git.kernel.org/stable/c/6b992591e04f2cce813bcf239b354f375bbf84d3
- https://git.kernel.org/stable/c/c5fc49d8470c5ebf3b41607600f277158f159950