CVE-2026-46314

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Reject empty multisync extension to prevent infinite loop<br /> <br /> v3d_get_extensions() walks a userspace-provided singly-linked list of<br /> ioctl extensions without any bound on the chain length. A local user<br /> can craft a self-referential extension (ext-&gt;next == &amp;ext) with zero<br /> in_sync_count and out_sync_count, which bypasses the existing duplicate-<br /> extension guard:<br /> <br /> if (se-&gt;in_sync_count || se-&gt;out_sync_count)<br /> return -EINVAL;<br /> <br /> The guard never fires because v3d_get_multisync_post_deps() returns<br /> immediately when count is zero, leaving both fields at zero on every<br /> iteration. The result is an infinite loop in kernel context, blocking<br /> the calling thread and pegging a CPU core indefinitely.<br /> <br /> Fix this by rejecting a multisync extension where both in_sync_count<br /> and out_sync_count are zero in v3d_get_multisync_submit_deps(). An<br /> empty multisync carries no synchronization information and serves no<br /> useful purpose, so returning -EINVAL for such an extension is the<br /> correct defense against this attack vector.