{ "public_date" : "2026-05-06T00:00:00Z", "bugzilla" : { "description" : "kernel: drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release", "id" : "2467190", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467190" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release\nThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copying\nthe atmel_hlcdc_plane state structure without properly duplicating the\ndrm_plane_state. In particular, state->commit remained set to the old\nstate commit, which can lead to a use-after-free in the next\ndrm_atomic_commit() call.\nFix this by calling\n__drm_atomic_helper_duplicate_plane_state(), which correctly clones\nthe base drm_plane_state (including the ->commit pointer).\nIt has been seen when closing and re-opening the device node while\nanother DRM client (e.g. fbdev) is still attached:\n=============================================================================\nBUG kmalloc-64 (Not tainted): Poison overwritten\n-----------------------------------------------------------------------------\n0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b\nFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b\nAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0\npid=29\ndrm_atomic_helper_setup_commit+0x1e8/0x7bc\ndrm_atomic_helper_commit+0x3c/0x15c\ndrm_atomic_commit+0xc0/0xf4\ndrm_framebuffer_remove+0x4cc/0x5a8\ndrm_mode_rmfb_work_fn+0x6c/0x80\nprocess_one_work+0x12c/0x2cc\nworker_thread+0x2a8/0x400\nkthread+0xc0/0xdc\nret_from_fork+0x14/0x28\nFreed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0\npid=169\ndrm_atomic_helper_commit_hw_done+0x100/0x150\ndrm_atomic_helper_commit_tail+0x64/0x8c\ncommit_tail+0x168/0x18c\ndrm_atomic_helper_commit+0x138/0x15c\ndrm_atomic_commit+0xc0/0xf4\ndrm_atomic_helper_set_config+0x84/0xb8\ndrm_mode_setcrtc+0x32c/0x810\ndrm_ioctl+0x20c/0x488\nsys_ioctl+0x14c/0xc20\nret_fast_syscall+0x0/0x54\nSlab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0\nflags=0x200(workingset|zone=0)\nObject 0xc611b340 @offset=832 fp=0xc611b7c0", "A flaw was found in the Linux kernel's `drm/atmel-hlcdc` component. An issue in the `atmel_hlcdc_plane_atomic_duplicate_state()` callback, which incorrectly duplicates the `drm_plane_state`, can lead to a use-after-free vulnerability. This can be triggered when a device node is closed and re-opened while another Direct Rendering Manager (DRM) client is still active, potentially causing system instability or a denial of service." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43236\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43236\nhttps://lore.kernel.org/linux-cve-announce/2026050658-CVE-2026-43236-1ee8@gregkh/T" ], "name" : "CVE-2026-43236", "csaw" : false }