{"id":"CVE-2026-46209","summary":"drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()\n\ndrm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions\nusing plain integer division:\n\n  unsigned int width  = mode_cmd-\u003ewidth  / (i ? info-\u003ehsub : 1);\n  unsigned int height = mode_cmd-\u003eheight / (i ? info-\u003evsub : 1);\n\nHowever, the ioctl-level framebuffer_check() in drm_framebuffer.c uses\ndrm_format_info_plane_width/height() which round up dimensions via\nDIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object\nsize check for certain pixel format and dimension combinations.\n\nFor example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the\nGEM size validation path sees height=0 instead of height=1. The\nexpression (height - 1) then wraps to UINT_MAX as an unsigned int,\ncausing min_size to overflow and wrap back to a small value. A tiny\nGEM object therefore passes the size guard, yet when the GPU accesses\nthe chroma plane it will read or write memory beyond the object's\nbounds.\n\nFix by replacing the open-coded divisions with drm_format_info_plane_width()\nand drm_format_info_plane_height(), which use DIV_ROUND_UP() and match\nthe calculation already used in framebuffer_check().","modified":"2026-06-05T18:29:30.114387946Z","published":"2026-05-28T09:40:27.092Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46209.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/11427ad6c9f0def5ce567982b785da3191946430"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1da4ab7189f1064b3b712b388772c008b4d82580"},{"type":"WEB","url":"https://git.kernel.org/stable/c/22922f7dae74409fc4bf0f1142710cb6b8ce8cc2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d4c2268bd7243c3780fe32bf24ff876da272acf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6b992591e04f2cce813bcf239b354f375bbf84d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c5fc49d8470c5ebf3b41607600f277158f159950"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46209.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46209"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4c3dbb2c312c9fafbac30d98c523b8b1f3455d78"},{"fixed":"11427ad6c9f0def5ce567982b785da3191946430"},{"fixed":"adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad"},{"fixed":"22922f7dae74409fc4bf0f1142710cb6b8ce8cc2"},{"fixed":"6b992591e04f2cce813bcf239b354f375bbf84d3"},{"fixed":"1da4ab7189f1064b3b712b388772c008b4d82580"},{"fixed":"1a17ea9861e89585361caa8bc231bd22dc6dbe7d"},{"fixed":"c5fc49d8470c5ebf3b41607600f277158f159950"},{"fixed":"3d4c2268bd7243c3780fe32bf24ff876da272acf"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46209.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.14.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.90"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.32"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46209.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}