CVE-2021-47200
HIGHLinux Kernel 5.5-5.15.5 - Use-After-Free in drm_gem_ttm_mmap
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap drm_gem_ttm_mmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that drop will free the gem object, and the subsequent drm_gem_object_get() will be a UAF. Fix by grabbing a reference before calling the mmap helper. This issue was forseen when the reference dropping was adding in commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): "For that to work properly the drm_gem_object_get() call in drm_gem_ttm_mmap() must be moved so it happens before calling obj->funcs->mmap(), otherwise the gem refcount would go down to zero."
References (2)
Core 2
Scores
CVSS v3
7.8
EPSS
0.0022
EPSS Percentile
12.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-416
Status
published
Products (7)
Linux/Linux
< 5.5
Linux/Linux
5.15.5 - 5.15.*
Linux/Linux
5.16
Linux/Linux
5.5
Linux/Linux
9786b65bc61acec63f923978c75e707afbb74bc7 - 4f8e469a2384dfa4047145b0093126462cbb6dc0
Linux/Linux
9786b65bc61acec63f923978c75e707afbb74bc7 - 8244a3bc27b3efd057da154b8d7e414670d5044f
linux/linux_kernel
5.5 - 5.15.5
Published
Apr 10, 2024
Tracked Since
Feb 18, 2026