{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23149", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.975Z", "datePublished": "2026-02-14T16:01:18.281Z", "dateUpdated": "2026-05-11T22:01:09.528Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:09.528Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()\n\nSince GEM bo handles are u32 in the uapi and the internal implementation\nuses idr_alloc() which uses int ranges, passing a new handle larger than\nINT_MAX trivially triggers a kernel warning:\n\nidr_alloc():\n...\n\tif (WARN_ON_ONCE(start < 0))\n\t\treturn -EINVAL;\n...\n\nFix it by rejecting new handles above INT_MAX and at the same time make\nthe end limit calculation more obvious by moving into int domain."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/drm_gem.c"], "versions": [{"version": "53096728b8910c6916ecc6c46a5abc5c678b58d9", "lessThan": "ae8831ee0fb2f5f41f39722e7b3749d65bb78d08", "status": "affected", "versionType": "git"}, {"version": "53096728b8910c6916ecc6c46a5abc5c678b58d9", "lessThan": "12f15d52d38ac53f7c70ea3d4b3d76afed04e064", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/drm_gem.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.9", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ae8831ee0fb2f5f41f39722e7b3749d65bb78d08"}, {"url": "https://git.kernel.org/stable/c/12f15d52d38ac53f7c70ea3d4b3d76afed04e064"}], "title": "drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "64A5E20D-6D91-446C-A826-4E89EFEA0278", "versionEndExcluding": "6.18.9", "versionStartIncluding": "6.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()\n\nSince GEM bo handles are u32 in the uapi and the internal implementation\nuses idr_alloc() which uses int ranges, passing a new handle larger than\nINT_MAX trivially triggers a kernel warning:\n\nidr_alloc():\n...\n\tif (WARN_ON_ONCE(start < 0))\n\t\treturn -EINVAL;\n...\n\nFix it by rejecting new handles above INT_MAX and at the same time make\nthe end limit calculation more obvious by moving into int domain."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm: No permitir que el espacio de usuario active advertencias del kernel en drm_gem_change_handle_ioctl()\n\nDado que los identificadores GEM bo son u32 en la uapi y la implementaci\u00f3n interna utiliza idr_alloc() que usa rangos int, pasar un nuevo identificador mayor que INT_MAX desencadena trivialmente una advertencia del kernel:\n\nidr_alloc():\n...\n\tif (WARN_ON_ONCE(start &lt; 0))\n\t\treturn -EINVAL;\n...\n\nSe soluciona rechazando los nuevos identificadores superiores a INT_MAX y al mismo tiempo haciendo m\u00e1s obvio el c\u00e1lculo del l\u00edmite final al moverlo al dominio int."}], "id": "CVE-2026-23149", "lastModified": "2026-03-17T21:12:29.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T16:15:55.023", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12f15d52d38ac53f7c70ea3d4b3d76afed04e064"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ae8831ee0fb2f5f41f39722e7b3749d65bb78d08"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()", "id": "2439945", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439945"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()\nSince GEM bo handles are u32 in the uapi and the internal implementation\nuses idr_alloc() which uses int ranges, passing a new handle larger than\nINT_MAX trivially triggers a kernel warning:\nidr_alloc():\n...\nif (WARN_ON_ONCE(start < 0))\nreturn -EINVAL;\n...\nFix it by rejecting new handles above INT_MAX and at the same time make\nthe end limit calculation more obvious by moving into int domain."], "name": "CVE-2026-23149", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23149\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23149\nhttps://lore.kernel.org/linux-cve-announce/2026021413-CVE-2026-23149-8329@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[53096728b8910c6916ecc6c46a5abc5c678b58d9,ae8831ee0fb2f5f41f39722e7b3749d65bb78d08)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[53096728b8910c6916ecc6c46a5abc5c678b58d9,12f15d52d38ac53f7c70ea3d4b3d76afed04e064)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.9,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T20:07:48.636872+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a release that includes the patch for drm_gem_change_handle_ioctl(), such as the final 6.19 release or a later stable version.", "Restrict access to the DRM device by adjusting file permissions or applying mandatory access controls (SELinux/AppArmor) so that only trusted users can invoke the ioctl.", "If GPU support is unnecessary, compile the kernel without the offending GPU drivers or explicitly disable the DRM module to reduce the attack surface."], "summary": {"action": "Apply patch", "impact": "Kernel warning generation"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Linux 6.19 release candidates from rc1 through rc7, where the problematic idr_alloc() usage is part of the DRM GEM handling logic. The issue is tied to the kernel\u2019s handling of Graphics Execution Manager (GEM) objects and the DRM device interface.", "description_and_impact": "The flaw resides in the DRM subsystem\u2019s drm_gem_change_handle_ioctl() function. GEM object handles are 32\u2011bit unsigned values exposed to userspace, but the kernel maps them to signed int indices via idr_alloc(). When a handle greater than the maximum value of a signed int is supplied, the code triggers WARN_ON_ONCE, logging a kernel warning. The description does not claim any denial\u2011of\u2011service or compromise of confidentiality or integrity; it only indicates that an attacker can force kernel log entries to be produced.", "risk_and_exploitability": "The CVSS score of 5.5 signals a moderate severity, and the EPSS score indicates a low exploitation probability (< 1%). The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local user access to the DRM device; an attacker with such access can invoke the ioctl and supply an out\u2011of\u2011range handle to cause the warning. No active exploits have been reported."}}}}, "created": "2026-02-16T12:01:18.529504+00:00", "updated": "2026-04-18T20:15:09.548099+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-20", "CWE-704"]}