CVE-2026-46314

MEDIUM

drm/v3d: Reject empty multisync extension to prevent infinite loop

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Reject empty multisync extension to prevent infinite loop v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector.

Scores

CVSS v3 5.5
EPSS 0.0011
EPSS Percentile 1.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-835
Status published
Products (15)
linux/Kernel 5.16.0 - 6.1.176linux
linux/Kernel 6.19.0 - 7.0.9linux
linux/Kernel 6.2.0 - 6.18.33linux
Linux/Linux < 5.16
Linux/Linux 5.16
Linux/Linux 6.1.176 - 6.1.*
Linux/Linux 6.18.33 - 6.18.*
Linux/Linux 7.0.9 - 7.0.*
Linux/Linux 7.1
Linux/Linux 7.1-rc1
... and 5 more
Published Jun 08, 2026
Tracked Since Jun 08, 2026