HIGH Published 2026-05-27

drm/exynos VIDI Deref

CVE-2026-45956

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers with low privileges can trigger memory corruption in the Exynos DRM VIDI driver by calling vidi_connection_ioctl(). The bug uses an incorrect device pointer (master DRM device instead of VIDI component device), leading to access of uninitialized or garbage pointer values. This can cause null pointer dereferences, out-of-bounds access, or use-after-free conditions, potentially enabling arbitrary kernel memory access and privilege escalation on systems with Samsung Exynos graphics hardware.

Affecteddrivers/gpu/drm/exynos/exynos_drm_vidi.c (DRM graphics)

Vulnerability analysis

The root cause is incorrect device pointer retrieval in vidi_connection_ioctl() - it fetches driver_data from drm_dev->dev (the exynos-drm master device) instead of the VIDI component device. The driver_data in the master device is a completely different device, not the vidi component. This results in access to uninitialized or garbage pointer values, which can cause null pointer dereferences, out-of-bounds memory access, or use-after-free conditions depending on what garbage data is interpreted as a pointer. The fix stores the correct VIDI device pointer in exynos_drm_private->vidi_dev during bind/unbind operations and uses this stored pointer for safe context lookup in the ioctl handler, adding a NULL check for safety. The attack surface is local-only through DRM device ioctls, requiring access to /dev/dri/* devices which typically needs graphics group membership or similar low privileges.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`2987642c5213`
5.15	5.15.203	`65d1213baffa`
6.1	6.1.167	`875fa28690e9`
6.18	6.18.14	`b5fc86d753dd`
6.19	6.19.4	`a540f767642f`
6.6	6.6.130	`21ca24ba51a2`
mainline	7.0	`d3968a0d85b2`