{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23227", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.987Z", "datePublished": "2026-02-18T14:53:30.784Z", "dateUpdated": "2026-05-11T22:02:46.926Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:46.926Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free\n\nExynos Virtual Display driver performs memory alloc/free operations\nwithout lock protection, which easily causes concurrency problem.\n\nFor example, use-after-free can occur in race scenario like this:\n```\n\tCPU0\t\t\t\tCPU1\t\t\t\tCPU2\n\t----\t\t\t\t----\t\t\t\t----\n vidi_connection_ioctl()\n if (vidi->connection) // true\n drm_edid = drm_edid_alloc(); // alloc drm_edid\n ...\n ctx->raw_edid = drm_edid;\n ...\n\t\t\t\t\t\t\t\tdrm_mode_getconnector()\n\t\t\t\t\t\t\t\t drm_helper_probe_single_connector_modes()\n\t\t\t\t\t\t\t\t vidi_get_modes()\n\t\t\t\t\t\t\t\t if (ctx->raw_edid) // true\n\t\t\t\t\t\t\t\t drm_edid_dup(ctx->raw_edid);\n\t\t\t\t\t\t\t\t if (!drm_edid) // false\n\t\t\t\t\t\t\t\t ...\n\t\t\t\tvidi_connection_ioctl()\n\t\t\t\t if (vidi->connection) // false\n\t\t\t\t drm_edid_free(ctx->raw_edid); // free drm_edid\n\t\t\t\t ...\n\t\t\t\t\t\t\t\t drm_edid_alloc(drm_edid->edid)\n\t\t\t\t\t\t\t\t kmemdup(edid); // UAF!!\n\t\t\t\t\t\t\t\t ...\n```\n\nTo prevent these vulns, at least in vidi_context, member variables related\nto memory alloc/free should be protected with ctx->lock."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/exynos/exynos_drm_vidi.c"], "versions": [{"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "56966a4cfa925ec24edb68ab652a740a7abe2c4d", "status": "affected", "versionType": "git"}, {"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "9e1ef9396a1899925911b1729cb65665420268df", "status": "affected", "versionType": "git"}, {"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "92dd1f38d7db75374dcdaf54f1d79d67bffd54e5", "status": "affected", "versionType": "git"}, {"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13", "status": "affected", "versionType": "git"}, {"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "abfdf449fb3d7b42e85a1ad1c8694b768b1582f4", "status": "affected", "versionType": "git"}, {"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "60b75407c172e1f341a8a5097c5cbc97dbbdd893", "status": "affected", "versionType": "git"}, {"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385", "status": "affected", "versionType": "git"}, {"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f", "lessThan": "52b330799e2d6f825ae2bb74662ec1b10eb954bb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/exynos/exynos_drm_vidi.c"], "versions": [{"version": "3.6", "status": "affected"}, {"version": "0", "lessThan": "3.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/56966a4cfa925ec24edb68ab652a740a7abe2c4d"}, {"url": "https://git.kernel.org/stable/c/9e1ef9396a1899925911b1729cb65665420268df"}, {"url": "https://git.kernel.org/stable/c/92dd1f38d7db75374dcdaf54f1d79d67bffd54e5"}, {"url": "https://git.kernel.org/stable/c/1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13"}, {"url": "https://git.kernel.org/stable/c/abfdf449fb3d7b42e85a1ad1c8694b768b1582f4"}, {"url": "https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893"}, {"url": "https://git.kernel.org/stable/c/0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385"}, {"url": "https://git.kernel.org/stable/c/52b330799e2d6f825ae2bb74662ec1b10eb954bb"}], "title": "drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6F320FA-255D-4544-9CA5-33D757F74941", "versionEndExcluding": "6.12.77", "versionStartIncluding": "3.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7099A9EC-3D54-4424-BF01-7224EF88C79C", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free\n\nExynos Virtual Display driver performs memory alloc/free operations\nwithout lock protection, which easily causes concurrency problem.\n\nFor example, use-after-free can occur in race scenario like this:\n```\n\tCPU0\t\t\t\tCPU1\t\t\t\tCPU2\n\t----\t\t\t\t----\t\t\t\t----\n vidi_connection_ioctl()\n if (vidi->connection) // true\n drm_edid = drm_edid_alloc(); // alloc drm_edid\n ...\n ctx->raw_edid = drm_edid;\n ...\n\t\t\t\t\t\t\t\tdrm_mode_getconnector()\n\t\t\t\t\t\t\t\t drm_helper_probe_single_connector_modes()\n\t\t\t\t\t\t\t\t vidi_get_modes()\n\t\t\t\t\t\t\t\t if (ctx->raw_edid) // true\n\t\t\t\t\t\t\t\t drm_edid_dup(ctx->raw_edid);\n\t\t\t\t\t\t\t\t if (!drm_edid) // false\n\t\t\t\t\t\t\t\t ...\n\t\t\t\tvidi_connection_ioctl()\n\t\t\t\t if (vidi->connection) // false\n\t\t\t\t drm_edid_free(ctx->raw_edid); // free drm_edid\n\t\t\t\t ...\n\t\t\t\t\t\t\t\t drm_edid_alloc(drm_edid->edid)\n\t\t\t\t\t\t\t\t kmemdup(edid); // UAF!!\n\t\t\t\t\t\t\t\t ...\n```\n\nTo prevent these vulns, at least in vidi_context, member variables related\nto memory alloc/free should be protected with ctx->lock."}, {"lang": "es", "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\ndrm/exynos: vidi: usar ctx->lock para proteger las variables miembro de la estructura vidi_context relacionadas con la asignaci\u00f3n/liberaci\u00f3n de memoria\n\nEl controlador de pantalla virtual de Exynos realiza operaciones de asignaci\u00f3n/liberaci\u00f3n de memoria sin protecci\u00f3n de bloqueo, lo que f\u00e1cilmente causa un problema de concurrencia.\n\nPor ejemplo, el uso despu\u00e9s de liberaci\u00f3n puede ocurrir en un escenario de carrera como este:\n```\n\tCPU0\t\t\t\tCPU1\t\t\t\tCPU2\n\t----\t\t\t\t----\t\t\t\t----\n vidi_connection_ioctl()\n if (vidi->connection) // true\n drm_edid = drm_edid_alloc(); // alloc drm_edid\n ...\n ctx->raw_edid = drm_edid;\n ...\n\t\t\t\t\t\t\t\tdrm_mode_getconnector()\n\t\t\t\t\t\t\t\t drm_helper_probe_single_connector_modes()\n\t\t\t\t\t\t\t\t vidi_get_modes()\n\t\t\t\t\t\t\t\t if (ctx->raw_edid) // true\n\t\t\t\t\t\t\t\t drm_edid_dup(ctx->raw_edid);\n\t\t\t\t\t\t\t\t if (!drm_edid) // false\n\t\t\t\t\t\t\t\t ...\n\t\t\t\tvidi_connection_ioctl()\n\t\t\t\t if (vidi->connection) // false\n\t\t\t\t drm_edid_free(ctx->raw_edid); // free drm_edid\n\t\t\t\t ...\n\t\t\t\t\t\t\t\t drm_edid_alloc(drm_edid->edid)\n\t\t\t\t\t\t\t\t kmemdup(edid); // UAF!!\n\t\t\t\t\t\t\t\t ...\n```\n\nPara prevenir estas vulnerabilidades, al menos en vidi_context, las variables miembro relacionadas con la asignaci\u00f3n/liberaci\u00f3n de memoria deber\u00edan ser protegidas con ctx->lock."}], "id": "CVE-2026-23227", "lastModified": "2026-04-18T09:16:14.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T16:22:32.467", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/52b330799e2d6f825ae2bb74662ec1b10eb954bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/56966a4cfa925ec24edb68ab652a740a7abe2c4d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92dd1f38d7db75374dcdaf54f1d79d67bffd54e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9e1ef9396a1899925911b1729cb65665420268df"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/abfdf449fb3d7b42e85a1ad1c8694b768b1582f4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free", "id": "2440672", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440672"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23227", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23227\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23227\nhttps://lore.kernel.org/linux-cve-announce/2026021807-CVE-2026-23227-6986@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,60b75407c172e1f341a8a5097c5cbc97dbbdd893)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,7.0.0)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T15:47:25.595146+00:00", "value": {"mitigation_remediation": ["Upgrade to a kernel version that includes the patch fixing the use of ctx->lock for memory operations in the Exynos Virtual Display driver", "If an upgrade is not immediately possible, disable the Exynos Virtual Display driver or restrict its interfaces to trusted users only", "Monitor kernel logs for drm_edid or memory allocation errors and consider applying kernel runtime lock debugging tools to detect concurrency issues"], "summary": {"action": "Apply Kernel Patch", "impact": "Use\u2011after\u2011free leading to memory corruption that may enable remote code execution or denial of service"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel that incorporates the Exynos Virtual Display driver is affected. The vulnerability is present in all versions of the Linux kernel up to the point where the patch is applied, regardless of distribution vendor. The specific impacted component is the DRM/exynos vidi module; therefore all Linux kernels that compile with the Exynos Virtual Display driver are at risk.", "description_and_impact": "A race condition in the Exynos Virtual Display driver results in memory allocation and deallocation operations being performed without proper lock protection. The kernel can free an object that another thread is still accessing, triggering a use\u2011after\u2011free scenario. This vulnerability can corrupt memory, potentially allowing an attacker to execute arbitrary code or crash the system. The weakness is a classic use\u2011after\u2011free flaw (CWE\u2011416).", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity, and the EPSS score of less than 1\u00a0% suggests that exploitation is currently unlikely, consistent with the fact that the vulnerability requires a race condition. The vulnerability is not yet listed in CISA\u2019s KEV catalog. The primary attack vector is local, requiring concurrent use of the driver by two threads, which typically means a privileged or root user or a malicious user exploiting a privileged interface. While not immediately exploitable in a publicly shared environment, an attacker with local access could trigger the flaw to corrupt memory or gain arbitrary code execution."}}}}, "created": "2026-02-19T10:11:45.153756+00:00", "updated": "2026-04-15T17:30:10.410928+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}