GHSA-J77R-M2HP-2792
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state structure without properly duplicating the drm_plane_state. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drm_atomic_commit() call.
Fix this by calling __drm_atomic_helper_duplicate_plane_state(), which correctly clones the base drm_plane_state (including the ->commit pointer).
It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached:
============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten
0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0 pid=29 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_framebuffer_remove+0x4cc/0x5a8 drm_mode_rmfb_work_fn+0x6c/0x80 process_one_work+0x12c/0x2cc worker_thread+0x2a8/0x400 kthread+0xc0/0xdc ret_from_fork+0x14/0x28 Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0 pid=169 drm_atomic_helper_commit_hw_done+0x100/0x150 drm_atomic_helper_commit_tail+0x64/0x8c commit_tail+0x168/0x18c drm_atomic_helper_commit+0x138/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0
{
"affected": [],
"aliases": [
"CVE-2026-43236"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release\n\nThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copying\nthe atmel_hlcdc_plane state structure without properly duplicating the\ndrm_plane_state. In particular, state-\u003ecommit remained set to the old\nstate commit, which can lead to a use-after-free in the next\ndrm_atomic_commit() call.\n\nFix this by calling\n__drm_atomic_helper_duplicate_plane_state(), which correctly clones\nthe base drm_plane_state (including the -\u003ecommit pointer).\n\nIt has been seen when closing and re-opening the device node while\nanother DRM client (e.g. fbdev) is still attached:\n\n=============================================================================\nBUG kmalloc-64 (Not tainted): Poison overwritten\n-----------------------------------------------------------------------------\n\n0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b\nFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b\nAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0\npid=29\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_framebuffer_remove+0x4cc/0x5a8\n drm_mode_rmfb_work_fn+0x6c/0x80\n process_one_work+0x12c/0x2cc\n worker_thread+0x2a8/0x400\n kthread+0xc0/0xdc\n ret_from_fork+0x14/0x28\nFreed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0\npid=169\n drm_atomic_helper_commit_hw_done+0x100/0x150\n drm_atomic_helper_commit_tail+0x64/0x8c\n commit_tail+0x168/0x18c\n drm_atomic_helper_commit+0x138/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54\nSlab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0\nflags=0x200(workingset|zone=0)\nObject 0xc611b340 @offset=832 fp=0xc611b7c0",
"id": "GHSA-j77r-m2hp-2792",
"modified": "2026-05-08T15:31:18Z",
"published": "2026-05-06T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43236"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.