{"id":"CVE-2021-47200","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/prime: Fix use after free in mmap with drm_gem_ttm_mmap\n\ndrm_gem_ttm_mmap() drops a reference to the gem object on success. If\nthe gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that\ndrop will free the gem object, and the subsequent drm_gem_object_get()\nwill be a UAF. Fix by grabbing a reference before calling the mmap\nhelper.\n\nThis issue was forseen when the reference dropping was adding in\ncommit 9786b65bc61ac (\"drm/ttm: fix mmap refcounting\"):\n  \"For that to work properly the drm_gem_object_get() call in\n  drm_gem_ttm_mmap() must be moved so it happens before calling\n  obj-\u003efuncs-\u003emmap(), otherwise the gem refcount would go down\n  to zero.\"","modified":"2026-03-13T05:18:03.195147Z","published":"2024-04-10T19:15:48.077Z","related":["SUSE-SU-2024:1641-1","SUSE-SU-2024:1644-1","SUSE-SU-2024:1647-1","SUSE-SU-2024:1659-1","SUSE-SU-2024:1663-1","SUSE-SU-2024:2008-1","SUSE-SU-2024:2010-1","SUSE-SU-2024:2185-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0"},{"type":"FIX","url":"https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"5.5"},{"fixed":"5.15.5"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47200.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}