7.8

CVE-2026-23227

drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free

In the Linux kernel, the following vulnerability has been resolved:

drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free

Exynos Virtual Display driver performs memory alloc/free operations
without lock protection, which easily causes concurrency problem.

For example, use-after-free can occur in race scenario like this:
```
	CPU0				CPU1				CPU2
	----				----				----
  vidi_connection_ioctl()
    if (vidi->connection) // true
      drm_edid = drm_edid_alloc(); // alloc drm_edid
      ...
      ctx->raw_edid = drm_edid;
      ...
								drm_mode_getconnector()
								  drm_helper_probe_single_connector_modes()
								    vidi_get_modes()
								      if (ctx->raw_edid) // true
								        drm_edid_dup(ctx->raw_edid);
								          if (!drm_edid) // false
								          ...
				vidi_connection_ioctl()
				  if (vidi->connection) // false
				    drm_edid_free(ctx->raw_edid); // free drm_edid
				    ...
								          drm_edid_alloc(drm_edid->edid)
								            kmemdup(edid); // UAF!!
								            ...
```

To prevent these vulns, at least in vidi_context, member variables related
to memory alloc/free should be protected with ctx->lock.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.6 < 6.12.77
LinuxLinux Kernel Version >= 6.13 < 6.18.11
LinuxLinux Kernel Version >= 6.19 < 6.19.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.047
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893
Patch
https://git.kernel.org/stable/c/0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385
Patch
https://git.kernel.org/stable/c/52b330799e2d6f825ae2bb74662ec1b10eb954bb
Patch
https://git.kernel.org/stable/c/abfdf449fb3d7b42e85a1ad1c8694b768b1582f4
Patch
https://git.kernel.org/stable/c/1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13
https://git.kernel.org/stable/c/92dd1f38d7db75374dcdaf54f1d79d67bffd54e5
https://git.kernel.org/stable/c/56966a4cfa925ec24edb68ab652a740a7abe2c4d
https://git.kernel.org/stable/c/9e1ef9396a1899925911b1729cb65665420268df