CVE-2026-46312 Overview
CVE-2026-46312 is a Linux kernel vulnerability in the videobuf2 media subsystem. The vb2_dma_sg_mmap() function fails to set the VM_DONTEXPAND and VM_DONTDUMP VMA flags, while the parallel vb2_dma_contig implementation correctly sets them. This inconsistency triggers a WARN_ON(!(vma->vm_flags & VM_DONTEXPAND)) assertion inside drm_gem_mmap_obj() when userspace performs mmap() on an imported dma-buf backed by vb2_dma_sg_memops. The condition was reproduced using the out-of-tree Apple ISP camera capture driver with gst-launch-1.0 v4l2src ! gtk4paintablesink on Apple Silicon hardware running kernel 6.17.6.
Critical Impact
Local users invoking mmap() on dma-buf objects exported from drivers using vb2_dma_sg_memops can trigger kernel warnings and tainted-kernel states, which disrupts memory accounting expectations in the DRM and media subsystems.
Affected Products
- Linux kernel media subsystem (drivers/media/common/videobuf2/videobuf2-dma-sg.c)
- Drivers that import dma-buf objects through vb2_dma_sg_memops, including the out-of-tree Apple ISP camera capture driver
- DRM GEM consumers performing mmap() on imported videobuf2_dma_sg buffers
Discovery Timeline
- 2026-06-08 - CVE-2026-46312 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46312
Vulnerability Analysis
The defect resides in the videobuf2 (vb2) memory operations layer, specifically the scatter-gather DMA backend (vb2_dma_sg). When a buffer allocated by this backend is exported as a dma-buf and then imported by a DRM driver, the importer eventually invokes drm_gem_mmap_obj() during userspace mmap(). That function enforces an invariant: the VMA must carry the VM_DONTEXPAND flag, asserted via WARN_ON(!(vma->vm_flags & VM_DONTEXPAND)).
The peer backend vb2_dma_contig sets both VM_DONTEXPAND and VM_DONTDUMP on the VMA inside its mmap handler. The vb2_dma_sg_mmap handler historically omitted these flags. When the GStreamer pipeline v4l2src ! gtk4paintablesink runs on a system where the V4L2 source uses vb2_dma_sg and the sink imports the dma-buf into DRM, the missing flag causes the warning at drivers/gpu/drm/drm_gem.c:1144, tainting the kernel with the W flag.
Root Cause
The root cause is an inconsistency in VMA flag handling between vb2_dma_contig_mmap and vb2_dma_sg_mmap. The scatter-gather variant did not propagate VM_DONTEXPAND and VM_DONTDUMP onto the user mapping, breaking the contract that DRM GEM and other dma-buf consumers expect. The fix aligns both backends so that mappings backed by vb2_dma_sg carry the same VMA semantics as the contiguous backend.
Attack Vector
Exploitation requires local access and the ability to open a V4L2 capture device whose driver uses vb2_dma_sg_memops, then mmap the resulting buffer through a dma-buf importer such as a DRM driver. The observable effect is a kernel WARN_ON and a tainted kernel; no memory corruption primitive is described in the upstream report. The condition is reachable from any unprivileged process with access to the affected /dev/video* and DRM device nodes.
The vulnerability manifests in the vb2_dma_sg_mmap path. See the upstream commits in the Linux Kernel Commit b4cf916 and Linux Kernel Commit 7254b31 for the exact patch hunks.
Detection Methods for CVE-2026-46312
Indicators of Compromise
- Kernel ring buffer entries containing WARNING: CPU: ... at drivers/gpu/drm/drm_gem.c referencing drm_gem_mmap_obj+0x1f8/0x210.
- Kernel taint flag W appearing after userspace media pipelines such as gst-launch-1.0 v4l2src ! gtk4paintablesink execute.
- Stack traces showing drm_gem_mmap invoked through __mmap_region from a process that has opened a videobuf2_dma_sg-backed V4L2 device.
Detection Strategies
- Audit dmesg and persistent kernel logs (/var/log/kern.log, journalctl -k) for the drm_gem_mmap_obj warning signature.
- Inventory loaded modules for videobuf2_dma_sg alongside out-of-tree drivers such as apple_isp to identify hosts running affected combinations.
- Compare running kernel versions against the fix commits listed in the upstream stable tree references.
Monitoring Recommendations
- Forward kernel logs into a centralized log platform and alert on WARN_ON events originating from drm_gem.c or videobuf2.
- Track kernel taint state by reading /proc/sys/kernel/tainted across the fleet and alerting on transitions to non-zero values.
- Monitor for repeated process crashes or aborts in media applications using V4L2 capture devices.
How to Mitigate CVE-2026-46312
Immediate Actions Required
- Update Linux kernels to a stable release containing the vb2_dma_sg_mmap VMA flag fix.
- Restrict access to /dev/video* and DRM render nodes to trusted users and groups using udev rules and filesystem permissions.
- Unload or avoid out-of-tree drivers, such as the Apple ISP capture driver, that exercise the affected vb2_dma_sg_memops import path until patched.
Patch Information
The upstream fix sets VM_DONTEXPAND and VM_DONTDUMP inside vb2_dma_sg_mmap, matching the behavior of vb2_dma_contig. The fix is distributed across the following stable-tree commits: Linux Kernel Commit 1a13602, Linux Kernel Commit 21fade5, Linux Kernel Commit 7254b31, Linux Kernel Commit b4cf916, and Linux Kernel Commit feb1752. Apply the patched kernel from your distribution vendor as soon as it is available.
Workarounds
- Avoid pipelines that import vb2_dma_sg buffers into DRM consumers, for example by routing capture through user-space copy rather than zero-copy dma-buf import.
- Disable or blacklist V4L2 drivers that rely on vb2_dma_sg_memops on systems where they are non-essential.
- Limit local user access to media and DRM device nodes to reduce the surface for triggering the kernel warning.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
