CVE-2026-45956: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A use-after-free and out-of-bounds memory access vulnerability exists in the Linux kernel's DRM Exynos vidi display driver. An attacker with local access and a low-privilege account can trigger the flaw by issuing a crafted ioctl call, which causes the driver to resolve the wrong device context pointer. Successful exploitation gives the attacker full read, write, and denial-of-service capability over the affected system. Patched-image rebuilds at the fix versions (5.10.253, 5.15.203, and the upstream commit references) are available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection of CVE-2026-45956 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package an affected Linux kernel version. Any image whose kernel falls in the vulnerable range is flagged automatically in both registry scans and pipeline checks.
AvailableHarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and weights findings against each customer environment's compliance policy to prioritize the alert appropriately. Findings are routed to the team inbox configured for each affected workload so that the right engineers receive the alert without manual filtering.
AvailableA patched-image rebuild targeting the fixed kernel versions (5.10.253, 5.15.203, or the upstream commit references) becomes available on HarborGuard once the base image with the fix is published upstream. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against each affected workload automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to issue the ioctl that triggers the vulnerability.
- Victim interactionNot required
No user interaction is needed; the attacker can trigger the flaw entirely through their own process.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout assumptions are required.
Blast Radius
- The attacker reads arbitrary kernel memory, exposing credentials, session tokens, or other sensitive data held in kernel structures.
- The attacker writes to arbitrary kernel memory locations, allowing modification of security-critical kernel state or persisted data structures.
- The attacker can crash the affected system or the display subsystem entirely, causing a denial of service.
- In unlucky memory layouts, a use-after-free condition may allow the attacker to escalate to full kernel code execution.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-45956 is matched against scanned images within minutes of publication, covering both upstream base images and custom-built images that bundle a vulnerable kernel. Where fix versions are available (5.10.253, 5.15.203, or the relevant upstream commits), a patched-image rebuild becomes available as soon as an updated base image is published. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against it, and opens a pull request against each affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where a patched base image is not yet available or where compliance policy restricts auto-remediation, HarborGuard re-checks the advisory each ingest cycle and will surface the rebuilt image the moment the upstream fix is available. In the interim, consider restricting ioctl access to the vidi device node via seccomp or device-cgroup policy, and limiting local shell access on hosts running affected kernels.
Fix available
- Linux / Linux< 2987642c5213508c6c9e718324c0d5289a92c474 (from cf67cc9a29ac19c98bc4fa0e6d14b0c1f592d322) · < 65d1213baffa363f2eb1117b1dc7acc573b890f8 (from cf67cc9a29ac19c98bc4fa0e6d14b0c1f592d322) · < 875fa28690e93ed5296c31d3344556c6bb867234 (from cf67cc9a29ac19c98bc4fa0e6d14b0c1f592d322) · < 21ca24ba51a2c28bcc4df9d7e5a40b0eb66ab76d (from cf67cc9a29ac19c98bc4fa0e6d14b0c1f592d322) · < b5fc86d753dd4c281a943b92f0eef02d31af03d7 (from cf67cc9a29ac19c98bc4fa0e6d14b0c1f592d322) · < a540f767642f75240a6c35f6a65b69e44cfcea9d (from cf67cc9a29ac19c98bc4fa0e6d14b0c1f592d322)
- Linux / Linux4.3Fixed in 0, 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.18.14, 6.19.4, 7.0
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H