{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions",
    "id" : "2451188",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451188"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-390",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses.", "A flaw was found in the `drm/vmwgfx` component of the Linux kernel. Incorrect error handling in the `vmw_translate_ptr` functions could cause them to return a success status even when an internal lookup operation failed. This could lead to the use of uninitialized pointers and out-of-bounds (OOB) memory accesses, potentially resulting in system instability or information disclosure." ],
  "statement" : "This flaw affects VMware graphics (vmwgfx) driver used in VMware virtual machines. The error handling regression causes failed lookups to incorrectly return success, leading to use of uninitialized pointers and potential OOB memory accesses. This affects systems running Linux guests in VMware environments with 3D acceleration enabled.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23317\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23317\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23317-0e9e@gregkh/T" ],
  "name" : "CVE-2026-23317",
  "csaw" : false
}