{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23227","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.987Z","datePublished":"2026-02-18T14:53:30.784Z","dateUpdated":"2026-05-11T22:02:46.926Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:02:46.926Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free\n\nExynos Virtual Display driver performs memory alloc/free operations\nwithout lock protection, which easily causes concurrency problem.\n\nFor example, use-after-free can occur in race scenario like this:\n```\n\tCPU0\t\t\t\tCPU1\t\t\t\tCPU2\n\t----\t\t\t\t----\t\t\t\t----\n  vidi_connection_ioctl()\n    if (vidi->connection) // true\n      drm_edid = drm_edid_alloc(); // alloc drm_edid\n      ...\n      ctx->raw_edid = drm_edid;\n      ...\n\t\t\t\t\t\t\t\tdrm_mode_getconnector()\n\t\t\t\t\t\t\t\t  drm_helper_probe_single_connector_modes()\n\t\t\t\t\t\t\t\t    vidi_get_modes()\n\t\t\t\t\t\t\t\t      if (ctx->raw_edid) // true\n\t\t\t\t\t\t\t\t        drm_edid_dup(ctx->raw_edid);\n\t\t\t\t\t\t\t\t          if (!drm_edid) // false\n\t\t\t\t\t\t\t\t          ...\n\t\t\t\tvidi_connection_ioctl()\n\t\t\t\t  if (vidi->connection) // false\n\t\t\t\t    drm_edid_free(ctx->raw_edid); // free drm_edid\n\t\t\t\t    ...\n\t\t\t\t\t\t\t\t          drm_edid_alloc(drm_edid->edid)\n\t\t\t\t\t\t\t\t            kmemdup(edid); // UAF!!\n\t\t\t\t\t\t\t\t            ...\n```\n\nTo prevent these vulns, at least in vidi_context, member variables related\nto memory alloc/free should be protected with ctx->lock."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/exynos/exynos_drm_vidi.c"],"versions":[{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"56966a4cfa925ec24edb68ab652a740a7abe2c4d","status":"affected","versionType":"git"},{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"9e1ef9396a1899925911b1729cb65665420268df","status":"affected","versionType":"git"},{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"92dd1f38d7db75374dcdaf54f1d79d67bffd54e5","status":"affected","versionType":"git"},{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13","status":"affected","versionType":"git"},{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"abfdf449fb3d7b42e85a1ad1c8694b768b1582f4","status":"affected","versionType":"git"},{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"60b75407c172e1f341a8a5097c5cbc97dbbdd893","status":"affected","versionType":"git"},{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385","status":"affected","versionType":"git"},{"version":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f","lessThan":"52b330799e2d6f825ae2bb74662ec1b10eb954bb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/exynos/exynos_drm_vidi.c"],"versions":[{"version":"3.6","status":"affected"},{"version":"0","lessThan":"3.6","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.77","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.11","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.1","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.12.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.18.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.19.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/56966a4cfa925ec24edb68ab652a740a7abe2c4d"},{"url":"https://git.kernel.org/stable/c/9e1ef9396a1899925911b1729cb65665420268df"},{"url":"https://git.kernel.org/stable/c/92dd1f38d7db75374dcdaf54f1d79d67bffd54e5"},{"url":"https://git.kernel.org/stable/c/1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13"},{"url":"https://git.kernel.org/stable/c/abfdf449fb3d7b42e85a1ad1c8694b768b1582f4"},{"url":"https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893"},{"url":"https://git.kernel.org/stable/c/0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385"},{"url":"https://git.kernel.org/stable/c/52b330799e2d6f825ae2bb74662ec1b10eb954bb"}],"title":"drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free","x_generator":{"engine":"bippy-1.2.0"}}}}