PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45956 Linux CVE debrief

A vulnerability in the Linux kernel's DRM/Exynos VIDI driver could allow local attackers to trigger memory safety errors including null pointer dereferences, use-after-free, and out-of-bounds access. The flaw exists in vidi_connection_ioctl() which incorrectly retrieves driver_data from the exynos-drm master device rather than the VIDI component device, leading to type confusion and potential memory corruption. The issue was resolved by storing the correct vidi device pointer in exynos_drm_private and using it for context lookup.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux on Exynos-based devices with VIDI (Virtual Display) output support, particularly embedded systems, mobile devices, and development boards using Samsung Exynos SoCs. System administrators of multi-user Linux systems where local attackers could attempt privilege escalation through the DRM subsystem.

Technical summary

The vidi_connection_ioctl() function in drivers/gpu/drm/exynos/exynos_drm_vidi.c incorrectly uses drm_dev->dev->driver_data to obtain a struct vidi_context pointer. However, drm_dev->dev refers to the exynos-drm master platform device, not the VIDI component device. The driver_data field in the master device contains a struct exynos_drm_private pointer, not a struct vidi_context pointer. This type confusion can result in accessing invalid memory when the code treats the exynos_drm_private structure as a vidi_context structure. The vulnerability manifests as null pointer dereferences, garbage value reads, or in severe cases, out-of-bounds access and use-after-free conditions. The resolution stores the actual VIDI device pointer in exynos_drm_private->vidi_dev during component bind/unbind, then retrieves this stored pointer in the ioctl handler to obtain the correct context.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the fix commits for affected stable branches
  • Review systems using Exynos-based devices with VIDI display output for kernel version exposure
  • Monitor for local privilege escalation attempts on multi-user Exynos systems
  • Validate that exynos_drm_private->vidi_dev is properly initialized in custom kernel builds

Evidence notes

The vulnerability description indicates this is a type confusion bug where vidi_connection_ioctl() retrieves driver_data from drm_dev->dev (the exynos-drm master device) instead of the actual VIDI component device. The driver_data in the master device contains a different structure entirely, leading to incorrect pointer dereferences when cast to struct vidi_context. The fix involves storing the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind operations and reading from this location in the ioctl handler. Multiple stable kernel branches received patches as indicated by seven distinct git.kernel.org stable commits.

Official resources

2026-05-27