HIGH
accel/ivpu GemExport Bypass
CVE-2026-43498
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Disallow re-exporting imported GEM objects Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so. Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.
02KernelScan AI Analysis
Risk summary
Applications with Intel VPU device access can re-export imported GEM buffer objects, causing loss of buffer metadata and leading to data corruption. This affects systems with Intel Vision Processing Unit hardware where multiple applications share buffer objects.
Vulnerability analysis
The Intel VPU driver lacked validation in its DRM PRIME export path, allowing imported GEM buffers to be re-exported without preserving their original flags and access control metadata. The fix adds a custom prime_handle_to_fd callback that explicitly checks drm_gem_is_imported() and blocks re-export with -EOPNOTSUPP. Attack surface is local, requiring DRM device access permissions but no elevated privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 7.0 | 7.0.7 | 3756043dd695 |
| mainline | 7.1-rc3 | 7dd57d7a6350 |