Bug 2439945 (CVE-2026-23149)

Summary: CVE-2026-23149 kernel: drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's DRM (Direct Rendering Manager) subsystem. In the drm_gem_change_handle_ioctl() function, userspace can trigger a kernel warning by passing a GEM buffer object handle value larger than INT_MAX. The underlying idr_alloc() function treats this as a negative start value, triggering a WARN_ON_ONCE condition and potentially flooding kernel logs.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-14 17:04:20 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()

Since GEM bo handles are u32 in the uapi and the internal implementation
uses idr_alloc() which uses int ranges, passing a new handle larger than
INT_MAX trivially triggers a kernel warning:

idr_alloc():
...
	if (WARN_ON_ONCE(start < 0))
		return -EINVAL;
...

Fix it by rejecting new handles above INT_MAX and at the same time make
the end limit calculation more obvious by moving into int domain.
Comment 1 TEJ RATHI 2026-02-16 06:39:10 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021413-CVE-2026-23149-8329@gregkh/T