HIGH
drm/exynos EDID Context UAF
CVE-2026-23227
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock.
02KernelScan AI Analysis
Risk summary
A local attacker with access to DRM device files could trigger a use-after-free condition by racing memory allocation/deallocation operations in the Exynos virtual display driver. This could lead to kernel memory corruption, system crashes, or potentially privilege escalation through kernel code execution.
Vulnerability analysis
Root Cause: The Exynos Virtual Display driver performs memory allocation and deallocation operations on the ctx->raw_edid member variable without proper locking protection. This creates a race condition where one thread can free the EDID data while another thread is still accessing it, leading to use-after-free vulnerabilities.
Attack Surface: This vulnerability affects local access through the DRM subsystem. It can be triggered through ioctl calls and sysfs attribute writes that manipulate the virtual display connection state. The attack requires local access to the DRM device files and the ability to trigger concurrent operations on the virtual display driver.
Fix Mechanism: The patch adds mutex locking (ctx->lock) around all operations that access or modify ctx->raw_edid and ctx->connected member variables. Critical sections in vidi_connection_ioctl(), vidi_store_connection(), vidi_get_modes(), and vidi_remove() are now protected with mutex_lock/unlock pairs. Additionally, READ_ONCE() is used in vidi_detect() to safely read the connected status without holding the lock.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 56966a4cfa92 |
| 5.15 | 5.15.203 | 9e1ef9396a18 |
| 6.1 | 6.1.167 | 92dd1f38d7db |
| 6.12 | 6.12.77 | abfdf449fb3d |
| 6.18 | 6.18.11 | 60b75407c172 |
| 6.19 | 6.19.1 | 0cd2c155740d |
| 6.6 | 6.6.130 | 1b24d3e8792b |
| mainline | 7.0 | 52b330799e2d |