2451188 – (CVE-2026-23317) CVE-2026-23317 kernel: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Bug 2451188 (CVE-2026-23317) - CVE-2026-23317 kernel: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Summary: CVE-2026-23317 kernel: drm/vmwgfx: Return the correct value in vmw_translate_...

Keywords:
Status:	NEW
Alias:	CVE-2026-23317
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-25 11:03 UTC by OSIDB Bzimport
Modified:	2026-03-25 17:24 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-25 11:03:37 UTC

In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Before the referenced fixes these functions used a lookup function that
returned a pointer. This was changed to another lookup function that
returned an error code with the pointer becoming an out parameter.

The error path when the lookup failed was not changed to reflect this
change and the code continued to return the PTR_ERR of the now
uninitialized pointer. This could cause the vmw_translate_ptr functions
to return success when they actually failed causing further uninitialized
and OOB accesses.

Comment 1 Alexander B 2026-03-25 17:21:05 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23317-0e9e@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.