CVE-2026-46215 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and organizations running multi-user systems with GPU access where untrusted users may execute graphics workloads. Cloud providers and desktop environments using DRM prime buffer sharing should prioritize assessment.

Technical summary

The vulnerability is a use-after-free in the Linux kernel's DRM subsystem, specifically in the `change_handle` function used for prime handle operations. The root cause is a race condition where the ioctl temporarily creates two IDR entries pointing to the same GEM object. A concurrent `gem_close` could free the object while one handle remains, leading to use-after-free. The fix implements a two-phase update: first replace the old handle with NULL in the IDR (preventing concurrent lookup), then perform prime operations, and finally close the old handle only on success. This pattern follows prior fixes in `gem_close` (commit f6cd7daecff5) and `drm_gem_handle_create_tail` (commit bd46cece51a3). The change_handle function holds the prime lock throughout, eliminating the need for the full allocation-then-swap pattern used in create_tail.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable commits when available for your distribution
• Monitor Linux distribution security advisories for backported fixes
• Review systems using DRM prime buffer sharing for potential exposure
• Prioritize patching on multi-user systems where untrusted users can execute GPU workloads

Evidence notes

The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-28. The fix references three kernel.org stable commits. The vendor identification is marked as low confidence ('Unknown Vendor') with 'Kernel' as a candidate domain, requiring review.

Official resources