{"id":"CVE-2026-43236","summary":"drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release\n\nThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copying\nthe atmel_hlcdc_plane state structure without properly duplicating the\ndrm_plane_state. In particular, state-\u003ecommit remained set to the old\nstate commit, which can lead to a use-after-free in the next\ndrm_atomic_commit() call.\n\nFix this by calling\n__drm_atomic_helper_duplicate_plane_state(), which correctly clones\nthe base drm_plane_state (including the -\u003ecommit pointer).\n\nIt has been seen when closing and re-opening the device node while\nanother DRM client (e.g. fbdev) is still attached:\n\n=============================================================================\nBUG kmalloc-64 (Not tainted): Poison overwritten\n-----------------------------------------------------------------------------\n\n0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b\nFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b\nAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0\npid=29\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_framebuffer_remove+0x4cc/0x5a8\n drm_mode_rmfb_work_fn+0x6c/0x80\n process_one_work+0x12c/0x2cc\n worker_thread+0x2a8/0x400\n kthread+0xc0/0xdc\n ret_from_fork+0x14/0x28\nFreed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0\npid=169\n drm_atomic_helper_commit_hw_done+0x100/0x150\n drm_atomic_helper_commit_tail+0x64/0x8c\n commit_tail+0x168/0x18c\n drm_atomic_helper_commit+0x138/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54\nSlab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0\nflags=0x200(workingset|zone=0)\nObject 0xc611b340 @offset=832 fp=0xc611b7c0","modified":"2026-05-28T03:53:15.197639950Z","published":"2026-05-06T11:28:31.543Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43236.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49"},{"type":"WEB","url":"https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43236.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43236"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2389fc1305fc1e2cf8b310a75463fefd3058bf48"},{"fixed":"fd4a4d0711f48a99b25bcd45e00eef8339eff82d"},{"fixed":"6404898af86d986db1dbbe06177c143e40652e49"},{"fixed":"796e77c14c4c1e2cd36473760fb6cc66c695eb47"},{"fixed":"ac2d898da5095d46bd1ff8585fdd753d58ad91e7"},{"fixed":"a205740a7231e967ac77cb731171642901c327af"},{"fixed":"7b4d0fab3ff2c00c6d34e1952c9df5129a826aee"},{"fixed":"549c6db503dbb85dbff4840830971853feac6625"},{"fixed":"bc847787233277a337788568e90a6ee1557595eb"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43236.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.1.0"},{"fixed":"5.10.252"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.202"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.165"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43236.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}