A newly patched Linux kernel vulnerability, CVE-2026-46215, let any local user with access to a GPU render node escalate to root — no special permissions and no password required. The flaw affected mainline kernels from v6.18-rc1 through the fix, was reported to [email protected] on April 12, 2026, and was patched in late May.
Table of Contents
The Bug
It’s a use-after-free in the DRM GEM core ioctl DRM_IOCTL_GEM_CHANGE_HANDLE, added in v6.18-rc1 for AMD’s CRIU checkpoint/restore work. The ioctl moves a graphics buffer object from one handle to another but never updates the object’s handle_count. For a brief window, the object has two IDR (ID lookup) entries while its handle count still reads 1.
If a second thread calls DRM_IOCTL_GEM_CLOSE on the old handle during that window, it drives the count to 0 and frees the object while the new handle still points to the now-freed memory — a classic race condition.
Why It’s Widely Exploitable
Both ioctls carry the DRM_RENDER_ALLOW flag, meaning any process that can open /dev/dri/renderD* can trigger the race. On most desktop Linux systems, systemd-logind grants that access to any logged-in user by default — so the attack surface is essentially every local user on a typical workstation.
From Race Condition to Root
The Cyberstan proof-of-concept chains several techniques to convert the freed object into full root:
- Reclaims the freed memory slot with a sprayed array of
pipe_bufferstructures. - Leaks a kernel pointer through overlapping struct fields to defeat KASLR.
- Sets
PIPE_BUF_FLAG_CAN_MERGEvia a GEM object naming trick, bypassing the 2022 DirtyPipe fix. - Overwrites the read-only passwd through the page cache, stripping root’s password field.
The results are brutal: across 100 test boots, the exploit succeeded 99 times, winning the race in under 100 iterations on average.
The Fix
AMD’s David Francis and kernel maintainer Dave Airlie shipped a fix that closes the race window using a two-stage idr_replace operation, rolling back cleanly if a concurrent close wins the race. Maintainers went further and disabled the GEM_CHANGE_HANDLE ioctl entirely in the upcoming 7.1 release, removing the vulnerable path altogether.
Fixed versions: 6.18.32, 7.0.9, and 7.1-rc3 onward. Update to one of these as soon as your distribution ships it.
The Bigger Lesson
The vulnerability illustrates a recurring kernel bug pattern: compound operations on refcounted objects where a reference is added, removed, and counted in separate steps, creating windows where concurrent teardown frees memory still in use. Subsystems that skip the established helper functions for this bookkeeping remain at risk of similar races.
Bottom Line
CVE-2026-46215 is about as bad as local privilege escalation gets — near-100% reliable, reachable by any logged-in desktop user, and it defeats an earlier DirtyPipe mitigation along the way. Patch to 6.18.32, 7.0.9, or 7.1-rc3+ promptly.
See also: Mastering the Linux Command Line — Your Complete Free Training Guide




