{"id":"CVE-2026-23227","summary":"drm/exynos: vidi: use ctx-\u003elock to protect struct vidi_context member variables related to memory alloc/free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: vidi: use ctx-\u003elock to protect struct vidi_context member variables related to memory alloc/free\n\nExynos Virtual Display driver performs memory alloc/free operations\nwithout lock protection, which easily causes concurrency problem.\n\nFor example, use-after-free can occur in race scenario like this:\n```\n\tCPU0\t\t\t\tCPU1\t\t\t\tCPU2\n\t----\t\t\t\t----\t\t\t\t----\n  vidi_connection_ioctl()\n    if (vidi-\u003econnection) // true\n      drm_edid = drm_edid_alloc(); // alloc drm_edid\n      ...\n      ctx-\u003eraw_edid = drm_edid;\n      ...\n\t\t\t\t\t\t\t\tdrm_mode_getconnector()\n\t\t\t\t\t\t\t\t  drm_helper_probe_single_connector_modes()\n\t\t\t\t\t\t\t\t    vidi_get_modes()\n\t\t\t\t\t\t\t\t      if (ctx-\u003eraw_edid) // true\n\t\t\t\t\t\t\t\t        drm_edid_dup(ctx-\u003eraw_edid);\n\t\t\t\t\t\t\t\t          if (!drm_edid) // false\n\t\t\t\t\t\t\t\t          ...\n\t\t\t\tvidi_connection_ioctl()\n\t\t\t\t  if (vidi-\u003econnection) // false\n\t\t\t\t    drm_edid_free(ctx-\u003eraw_edid); // free drm_edid\n\t\t\t\t    ...\n\t\t\t\t\t\t\t\t          drm_edid_alloc(drm_edid-\u003eedid)\n\t\t\t\t\t\t\t\t            kmemdup(edid); // UAF!!\n\t\t\t\t\t\t\t\t            ...\n```\n\nTo prevent these vulns, at least in vidi_context, member variables related\nto memory alloc/free should be protected with ctx-\u003elock.","modified":"2026-04-02T13:12:16.244431Z","published":"2026-02-18T14:53:30.784Z","related":["CGA-j8wg-rh2w-x26j","openSUSE-SU-2026:10387-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23227.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13"},{"type":"WEB","url":"https://git.kernel.org/stable/c/52b330799e2d6f825ae2bb74662ec1b10eb954bb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92dd1f38d7db75374dcdaf54f1d79d67bffd54e5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/abfdf449fb3d7b42e85a1ad1c8694b768b1582f4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23227.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23227"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d3b62dbfc7b9bb013926f56db79b60f6c18c392f"},{"fixed":"92dd1f38d7db75374dcdaf54f1d79d67bffd54e5"},{"fixed":"1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13"},{"fixed":"abfdf449fb3d7b42e85a1ad1c8694b768b1582f4"},{"fixed":"60b75407c172e1f341a8a5097c5cbc97dbbdd893"},{"fixed":"0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385"},{"fixed":"52b330799e2d6f825ae2bb74662ec1b10eb954bb"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23227.json"}}],"schema_version":"1.7.5"}