VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 3, 2026· Updated Apr 23, 2026

CVE-2026-23430

CVE-2026-23430

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Don't overwrite KMS surface dirty tracker

We were overwriting the surface's dirty tracker here causing a memory leak.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in Linux kernel's vmwgfx DRM driver due to overwriting the KMS surface dirty tracker, leading to potential denial of service.

Root

Cause

The vulnerability in the Linux kernel's vmwgfx Direct Rendering Manager (DRM) driver arises from overwriting the kernel mode setting (KMS) surface dirty tracker. This incorrect handling causes the previous tracker to be leaked, resulting in a memory leak [1][2][3].

Attack

Surface and Prerequisites

Exploitation requires local access to the system and the ability to interact with the vmwgfx DRM device, typically through direct rendering (e.g., via the /dev/dri node). No special privileges beyond local user access are needed to trigger the condition that leads to the leak.

Impact

An attacker can repeatedly trigger the memory leak, exhausting system memory over time and leading to a denial of service (DoS). The CVSS v3 base score is 5.5 (Medium), reflecting the need for local access and the potential for availability impact.

Mitigation

Patches are available in the Linux kernel stable tree. Affected users should update to a kernel version containing the commits that resolve this issue [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.16.1,<6.18.20
    • cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.