HIGH
fbdev DefIO UAF
CVE-2026-46065
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal. Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state.
02KernelScan AI Analysis
Risk summary
Local users with access to framebuffer devices can trigger use-after-free conditions during device hot-unplug scenarios. This allows arbitrary kernel memory access, potentially leading to privilege escalation or system compromise on systems with accessible graphics hardware.
Vulnerability analysis
The vulnerability occurs when a framebuffer device is hot-unplugged while userspace still maintains an active memory mapping to the graphics memory. The original code tied the deferred I/O state directly to the lifetime of struct fb_info, which gets freed during device removal. Subsequent access to the mapped memory operates on freed kernel structures, creating a use-after-free condition. The fix introduces struct fb_deferred_io_state with reference counting, decoupling the mapping lifetime from the device lifetime. When the device is removed, the state is invalidated but preserved until all mappings are closed, causing further access attempts to receive SIGBUS instead of corrupting memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 2b53d3a52e8e |
| 6.18 | 6.18.30 | 25c2b77bc463 |
| 6.6 | 6.6.140 | 2a40f8bc9bb7 |
| 7.0 | 7.0.4 | a0aafb421dd1 |
| mainline | 7.1-rc1 | 9ded47ad003f |