CVE-2026-43236
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/05/2026
Last modified:
06/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release<br />
<br />
The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying<br />
the atmel_hlcdc_plane state structure without properly duplicating the<br />
drm_plane_state. In particular, state->commit remained set to the old<br />
state commit, which can lead to a use-after-free in the next<br />
drm_atomic_commit() call.<br />
<br />
Fix this by calling<br />
__drm_atomic_helper_duplicate_plane_state(), which correctly clones<br />
the base drm_plane_state (including the ->commit pointer).<br />
<br />
It has been seen when closing and re-opening the device node while<br />
another DRM client (e.g. fbdev) is still attached:<br />
<br />
=============================================================================<br />
BUG kmalloc-64 (Not tainted): Poison overwritten<br />
-----------------------------------------------------------------------------<br />
<br />
0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b<br />
FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b<br />
Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0<br />
pid=29<br />
drm_atomic_helper_setup_commit+0x1e8/0x7bc<br />
drm_atomic_helper_commit+0x3c/0x15c<br />
drm_atomic_commit+0xc0/0xf4<br />
drm_framebuffer_remove+0x4cc/0x5a8<br />
drm_mode_rmfb_work_fn+0x6c/0x80<br />
process_one_work+0x12c/0x2cc<br />
worker_thread+0x2a8/0x400<br />
kthread+0xc0/0xdc<br />
ret_from_fork+0x14/0x28<br />
Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0<br />
pid=169<br />
drm_atomic_helper_commit_hw_done+0x100/0x150<br />
drm_atomic_helper_commit_tail+0x64/0x8c<br />
commit_tail+0x168/0x18c<br />
drm_atomic_helper_commit+0x138/0x15c<br />
drm_atomic_commit+0xc0/0xf4<br />
drm_atomic_helper_set_config+0x84/0xb8<br />
drm_mode_setcrtc+0x32c/0x810<br />
drm_ioctl+0x20c/0x488<br />
sys_ioctl+0x14c/0xc20<br />
ret_fast_syscall+0x0/0x54<br />
Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0<br />
flags=0x200(workingset|zone=0)<br />
Object 0xc611b340 @offset=832 fp=0xc611b7c0
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625
- https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49
- https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47
- https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee
- https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af
- https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7
- https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb
- https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d