CVE-2026-53356 Overview
CVE-2026-53356 affects the Linux kernel's Intel i915 Direct Rendering Manager (DRM) graphics driver. The flaw resides in the Graphics Execution Manager (GEM) subsystem, specifically in how pread and pwrite operations handle physically-contiguous buffer objects (phys BOs) when a non-zero offset is supplied. The sg_page() helper returns a struct page pointer rather than a void *, so pointer arithmetic used to scale the offset produces an incorrect address. As a result, reads and writes touch the wrong region of the buffer object. The last impacted hardware generation with overlay or cursor planes using phys mapping was Gen3/945G/Lakeport.
Critical Impact
Incorrect pointer scaling in i915_gem_object_pread_phys() and i915_gem_object_pwrite_phys() causes out-of-bounds access relative to the intended buffer offset, potentially corrupting or leaking kernel memory adjacent to phys BO pages.
Affected Products
- Linux kernel Intel i915 DRM/GEM driver on Gen3, 945G, and Lakeport platforms using phys mapping for overlay or cursor planes
- Stable kernel branches referenced by the linked kernel.org patch commits
- Distributions shipping the affected drivers/gpu/drm/i915/gem code prior to the fixed commits
Discovery Timeline
- 2026-07-01 - CVE-2026-53356 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53356
Vulnerability Analysis
The vulnerability lives in the i915 GEM phys buffer object read/write path. Phys BOs back small graphics resources such as overlay and cursor planes on legacy Intel platforms using physically-contiguous memory obtained through a scatter-gather list. When userspace issues pread or pwrite ioctls with a non-zero offset, the driver must translate that offset to a kernel virtual address inside the phys BO backing pages.
The backing pointer is retrieved via sg_page(), which returns a struct page *. The original code treated the result as if it were a raw byte pointer (void *) and added the caller-supplied offset. Because struct page is much larger than one byte, pointer arithmetic scaled the offset by sizeof(struct page), landing well outside the intended buffer.
The upstream fix, cherry-picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6, converts the page pointer to a byte-addressable mapping before applying the offset, restoring correct arithmetic. Refer to the kernel.org stable commits 07c33be968d9, 14469860e2e3, 1ec8fc63e9cd, 32d4c5d328a3, 3bd168dd835b, 40f738991058, d21ad9383987, and dd51a2eeb93b for backports.
Root Cause
The root cause is a type-confusion style pointer-arithmetic error [CWE-468-class]. The code performed sg_page(sg) + offset where the left operand is a struct page *, so the compiler scaled offset by the size of struct page rather than by one byte.
Attack Vector
Exploitation requires the ability to issue GEM pread/pwrite ioctls against a phys-backed BO on affected legacy Intel graphics hardware. Because only Gen3/945G/Lakeport platforms create overlay or cursor planes using phys mapping, the practical attack surface is limited to systems running the i915 driver on that hardware. A local user with access to the DRM device node can trigger out-of-buffer kernel memory access using a non-zero offset.
No public proof-of-concept is available. The vulnerability is described in prose only; see the referenced kernel patch commit 07c33be for the exact code change.
Detection Methods for CVE-2026-53356
Indicators of Compromise
- Unexpected kernel oops or GPF entries in dmesg referencing i915_gem_object_pread_phys or i915_gem_object_pwrite_phys
- KASAN or SLUB debug reports flagging out-of-bounds access from the i915 GEM phys path
- Anomalous X server or Wayland compositor crashes on Gen3/945G/Lakeport hardware coinciding with DRM ioctl activity
Detection Strategies
- Monitor kernel logs for i915 GEM warnings and page-fault backtraces originating in drivers/gpu/drm/i915/gem/i915_gem_phys.c
- Track kernel package versions across the fleet and flag hosts still running pre-patch i915 code on affected legacy Intel GPUs
- Audit local processes invoking DRM_IOCTL_I915_GEM_PREAD and DRM_IOCTL_I915_GEM_PWRITE with non-zero offsets on phys-backed BOs
Monitoring Recommendations
- Forward dmesg and journald kernel logs to a central log store and alert on i915 stack traces
- Enable KASAN or CONFIG_DEBUG_SG on test images for legacy Intel graphics platforms to surface out-of-bounds behavior early
- Track the EPSS score for CVE-2026-53356, currently reported as 0.164%, alongside distribution security advisories for changes in exploit likelihood
How to Mitigate CVE-2026-53356
Immediate Actions Required
- Apply the vendor kernel update that includes the upstream fix cherry-picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6
- Prioritize patching hosts running the i915 driver on Gen3, 945G, or Lakeport hardware where phys mapping is used for overlay or cursor planes
- Restrict local shell access on multi-user systems that expose /dev/dri/card* to untrusted users until the patch is deployed
Patch Information
Fixes are available in the stable kernel commits 07c33be968d9, 14469860e2e3, 1ec8fc63e9cd, 32d4c5d328a3, 3bd168dd835b, 40f738991058, d21ad9383987, and dd51a2eeb93b. Rebuild the kernel from a stable branch containing one of these commits, or install the corresponding distribution kernel update. See the Kernel Patch Commit 07c33be and Kernel Patch Commit dd51a2e references for the exact source diff.
Workarounds
- Limit access to DRM device nodes through group membership and udev rules on shared systems
- Retire or isolate legacy Gen3/945G/Lakeport Intel graphics hardware where feasible, since only these platforms exercise the vulnerable phys-mapped overlay and cursor code paths
- Where patching is delayed, avoid running untrusted local code on affected hosts
# Verify installed kernel and confirm i915 phys BO fix is present
uname -r
zgrep -i 'i915.*phys' /proc/config.gz 2>/dev/null || \
grep -i 'i915' /boot/config-$(uname -r)
# Restrict DRM device access to the video group only
sudo chown root:video /dev/dri/card*
sudo chmod 0660 /dev/dri/card*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

