CVE-2026-43368 Overview
CVE-2026-43368 is an integer overflow vulnerability in the Linux kernel's Intel i915 Direct Rendering Manager (DRM) driver. The flaw resides in the shared memory (shmem) scatterlist handling code for Graphics Execution Manager (GEM) objects. When a scatterlist table backs a GEM shmem object of 4 GB or larger, the unsigned int .length attribute of a scatterlist entry can overflow if the cumulative byte length of folio pages assigned to that entry reaches or exceeds the 4 GB boundary. The result is premature end-of-object handling, kernel warnings in remap_sg, and potential memory corruption affecting confidentiality, integrity, and availability on systems using Intel graphics.
Critical Impact
Local users with access to i915 GEM interfaces can trigger an integer overflow in scatterlist length tracking, leading to out-of-bounds memory mapping and kernel instability.
Affected Products
- Linux kernel versions through 7.0-rc3 containing the i915 DRM driver
- Linux kernel 7.0:rc1, 7.0:rc2, and 7.0:rc3 release candidates
- Systems using Intel integrated graphics with the i915 driver and large GEM shmem objects
Discovery Timeline
- 2026-05-08 - CVE-2026-43368 published to the National Vulnerability Database (NVD)
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43368
Vulnerability Analysis
The vulnerability is an [CWE-190] integer overflow in drivers/gpu/drm/i915/ scatterlist construction. A scatterlist entry uses an unsigned int for the .length field, capping a single entry at 4 GB minus one byte. When the i915 driver populates a scatterlist for a GEM shmem object using pages allocated from a folio, it can append page byte counts to a single scatterlist entry without enforcing the maximum segment size. Once accumulated length reaches the 32-bit boundary, .length wraps to a small value while the driver continues treating the entry as covering the full range.
The kernel warning trace originates at remap_sg+0x199 in drivers/gpu/drm/i915/i915_mm.c:55, triggered through the vm_fault_cpu path during a CPU-side memory-mapped fault on the GEM object. Downstream code such as remap_io_sg and apply_to_page_range then operates on corrupted length metadata, mapping fewer pages than expected or accessing memory beyond the intended object range.
Root Cause
The root cause is missing enforcement of max_segment when concatenating folio pages into a single scatterlist entry. The original commit author annotated the risk in a code comment but never implemented the bounds check. The fix, backported from upstream commit 06249b4e691a, splits scatterlist entries so no single entry exceeds the maximum segment length.
Attack Vector
Exploitation requires local access and low privileges. An attacker with the ability to invoke i915 GEM ioctls, such as via gem_mmap_offset, can allocate a shmem-backed GEM object of at least 4 GB and trigger a CPU fault on the mapping. This forces the overflow path in remap_sg, producing kernel warnings, memory corruption, or a denial of service. No user interaction is required beyond the attacker's own process.
No public proof-of-concept code is currently available. The vulnerability manifests through standard DRM/GEM userspace interfaces and was reproduced by the kernel CI test gem_mmap_offset. See the upstream patch commit for technical details on the fix.
Detection Methods for CVE-2026-43368
Indicators of Compromise
- Kernel warning messages containing WARNING: CPU: ... at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg
- Tainted kernel state flags [S]=CPU_OUT_OF_SPEC and [U]=USER appearing in dmesg after GEM mmap operations
- Unexpected segmentation faults or process termination in graphics workloads using large buffer objects on Intel hardware
Detection Strategies
- Monitor dmesg and /var/log/kern.log for remap_sg warnings and i915 call traces involving vm_fault_cpu and remap_io_sg
- Audit running kernel versions against the affected range and flag hosts still running 7.0-rc1 through 7.0-rc3 or earlier unpatched stable kernels
- Track local processes invoking DRM ioctls on i915 device nodes (/dev/dri/card*) that allocate GEM objects approaching or exceeding 4 GB
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized logging or SIEM platform and alert on i915 plus WARNING co-occurrence
- Inventory endpoints running Intel graphics hardware (such as Meteor Lake client platforms) and correlate with kernel build identifiers
- Track abnormal process crashes in graphics-intensive applications as a behavioral signal of underlying driver instability
How to Mitigate CVE-2026-43368
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the official commit list and reboot affected systems
- Prioritize patching on workstations and developer hosts using Intel integrated graphics where local users can allocate large GEM buffers
- Restrict local shell access on multi-user systems running unpatched kernels until updates are deployed
Patch Information
The fix enforces max_segment when building scatterlists from folio pages, preventing any single entry's .length from reaching the 32-bit boundary. Patches are available in the stable kernel tree under commits 029ae067431a, 1c956f0fccc2, 21a301f12d18, aeb7255531ba, and eae4bf410757. Rebuild and redeploy distribution kernels that incorporate these commits.
Workarounds
- Avoid allocating GEM shmem objects of 4 GB or larger on unpatched systems until kernel updates are applied
- Limit local user access to /dev/dri/* device nodes by tightening group membership on the video and render groups
- Disable or unload the i915 module on systems that do not require Intel graphics acceleration, where operationally feasible
# Verify running kernel version and i915 driver status
uname -r
lsmod | grep i915
# Restrict DRM device access to a narrowly scoped group
sudo chmod 0660 /dev/dri/card0 /dev/dri/renderD128
sudo chown root:render /dev/dri/renderD128
# Monitor for the specific warning signature
dmesg -w | grep -E 'i915|remap_sg'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
