CVE-2026-46247 Overview
CVE-2026-46247 affects the Linux kernel's Qualcomm graphics clock driver (clk: qcom: gfx3d). The vulnerability triggers a kernel crash when the system attempts to determine the GFX3D clock rate. The fault was introduced after commit d228ece36345 ("clk: divider: remove round_rate() in favor of determine_rate()"), which exposed an incomplete parent-to-parent request map in the GFX3D clock driver. The passed parent map does not provide the expected best_parent_hw clock, leading to a null dereference during clock rate determination on affected Qualcomm Snapdragon platforms.
Critical Impact
Local denial of service on Linux systems using Qualcomm GFX3D clocks, triggered during routine GPU devfreq operations.
Affected Products
- Linux kernel versions containing commit d228ece36345 in the clock divider subsystem
- Qualcomm Snapdragon platforms using the clk-rcg2 GFX3D clock driver
- Systems running the MSM DRM GPU driver with devfreq governance
Discovery Timeline
- 2026-06-03 - CVE-2026-46247 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46247
Vulnerability Analysis
The vulnerability resides in the Qualcomm Reset Controller Generator 2 (RCG2) clock driver, specifically in clk_gfx3d_determine_rate() at drivers/clk/qcom/clk-rcg2.c:1268. The function constructs a clock rate request but fails to populate the best_parent_hw field in the embedded parent_req structure. Before commit d228ece36345, the legacy round_rate() path ignored best_parent_hw, masking the latent bug. After the divider subsystem transitioned exclusively to determine_rate(), the missing pointer reaches clk_divider_bestdiv() and clk_hw_round_rate(), where it is dereferenced.
The crash propagates through the devfreq subsystem during routine GPU frequency scaling. The call chain traverses msm_devfreq_target(), dev_pm_opp_set_rate(), clk_round_rate(), and ultimately reaches the faulting clk_hw_round_rate() in drivers/clk/clk.c:1764. The patch sets the best_parent_hw field in parent_req in addition to the outer req, restoring expected parent map semantics.
Root Cause
The root cause is an incomplete parent request map in the GFX3D RCG2 driver. The clk_gfx3d_determine_rate() function populated only the outer clock rate request structure while leaving the nested parent request's best_parent_hw field unset, violating an invariant that became enforced after the divider subsystem switched to determine_rate(). This is a null pointer dereference [CWE-476] in kernel context.
Attack Vector
The defect is reachable through normal GPU workload activity that triggers devfreq frequency scaling. A local user running graphics workloads on an affected Qualcomm platform causes the devfreq monitor to invoke msm_devfreq_target(), which traverses the broken code path. No specific privileges or crafted input are required beyond running GPU-bound code on the affected hardware. The result is a kernel oops or panic, producing a local denial of service.
No verified exploitation code is available. The crash is reproducible through standard GPU usage rather than crafted attacker input. See the upstream fix commit for the specific source modification.
Detection Methods for CVE-2026-46247
Indicators of Compromise
- Kernel oops or panic with a call trace containing clk_hw_round_rate, clk_divider_bestdiv, and clk_gfx3d_determine_rate
- System logs showing crashes originating from msm_devfreq_target during GPU workload execution
- Repeated GPU subsystem failures or display stack hangs on Qualcomm Snapdragon hardware
Detection Strategies
- Inspect dmesg and persistent kernel logs for stack traces referencing clk-rcg2.c and clk-divider.c frames
- Audit running kernel versions against the patched commits in the stable kernel tree
- Correlate kernel panic events with devfreq governor activity on MSM DRM-enabled devices
Monitoring Recommendations
- Forward kernel crash logs and kdump artifacts to a centralized logging platform for trend analysis
- Alert on repeated soft lockups or panics in the clock or devfreq subsystems on Qualcomm-based fleet devices
- Track kernel package versions across managed Linux endpoints to identify unpatched systems running affected releases
How to Mitigate CVE-2026-46247
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits to all affected Qualcomm-based Linux systems
- Identify endpoints running affected kernel versions with the GFX3D RCG2 driver and prioritize them for update
- For non-production or test devices, reproduce the crash path to confirm patch effectiveness before fleet-wide rollout
Patch Information
The fix has been merged into multiple stable kernel branches. Patched commits include 2583cb925ca1, 547ae2f17349, 56360aa4ddd7, 82cfe5292b11, 8aa972eba1f2, and aed53da569fb. Refer to the Linux stable kernel commits for the authoritative source change. Distribution kernels should be updated to releases incorporating these fixes.
Workarounds
- Disable or constrain devfreq scaling on the affected GPU to avoid traversing the faulting code path, accepting performance trade-offs
- Pin the GFX3D clock to a fixed rate where the platform configuration permits, bypassing dynamic rate determination
- Revert to a kernel revision predating commit d228ece36345 only as a short-term measure until the patched release can be deployed
# Verify the running kernel and check for the fixed commit
uname -r
# Inspect kernel log for the offending call trace
dmesg | grep -E "clk_hw_round_rate|clk_gfx3d_determine_rate|clk_divider_bestdiv"
# Optional: disable GPU devfreq governance as a temporary mitigation
echo performance | sudo tee /sys/class/devfreq/*.gpu/governor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
