CVE-2026-46314

NONE EPSS 5.3%
Published Jun 8, 20263w ago · Modified Jun 19, 20261w ago
Find Similar
Published Jun 8, 2026 3w ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Reject empty multisync extension to prevent infinite loop v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector.

Threat Intelligence

EPSS Exploit Probability
5.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 4

  • git.kernel.org https://git.kernel.org/stable/c/309abbddeca0c12714721928a819ef45e5710998
  • git.kernel.org https://git.kernel.org/stable/c/4fa42a249e8cd6ed17aea04e5695b6e9001f2433
  • git.kernel.org https://git.kernel.org/stable/c/9c5164781cb388d219d8f49fa0f0b04cf86ad544
  • git.kernel.org https://git.kernel.org/stable/c/fb44d589bf3148e13452185a6e772a7efbf2d684

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.