HIGH
drm/nouveau Pushbuf Overflow
CVE-2026-46006
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ]
02KernelScan AI Analysis
Risk summary
Local attackers with access to the Nouveau DRM device can bypass buffer bounds checking due to an integer wrap, leading to an out-of-bounds write in kernel memory. Systems with NVIDIA graphics hardware using the open-source Nouveau driver are affected.
Vulnerability analysis
The vulnerability occurs in nouveau_gem_pushbuf_reloc_apply() where a bounds check `r->reloc_bo_offset + 4 > nvbo->bo.base.size` performs 32-bit arithmetic on the left side but compares against a 64-bit size_t. When reloc_bo_offset is close to UINT32_MAX, adding 4 causes integer overflow, wrapping the result to a small value that bypasses the bounds check. This allows an out-of-bounds write to GPU buffer objects in kernel memory. The fix casts reloc_bo_offset to u64 before addition, ensuring 64-bit arithmetic. Attack surface is local-only, requiring access to DRM ioctls on the graphics device node.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | 573a1104bd36 |
| 6.1 | 6.1.175 | 45a45184b9c0 |
| 6.12 | 6.12.86 | d749a9a0ee40 |
| 6.18 | 6.18.27 | 332884f5eb79 |
| 6.6 | 6.6.140 | fa297e919d16 |
| 7.0 | 7.0.4 | e441d5c23ec6 |
| mainline | 7.1-rc1 | 2fc87d37be1b |