CVE-2026-43498
Description
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Disallow re-exporting imported GEM objects
Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.
Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's accel/ivpu driver, re-exporting imported GEM objects causes loss of buffer flags, leading to data corruption; fixed by disallowing re-export via custom callback.
Vulnerability
The vulnerability exists in the accel/ivpu driver in the Linux kernel. Re-exporting of imported GEM objects is allowed, which causes loss of buffer flags settings, leading to incorrect device access and data corruption [1]. Affected versions are those prior to the kernel commit that adds the fix.
Exploitation
An attacker with the ability to import a GEM buffer (via DRM) and re-export it can trigger the bug. The exact prerequisites are not detailed in the available references [1]. The attacker likely needs local user access to the DRM device.
Impact
Successful exploitation leads to incorrect device access and data corruption due to loss of buffer flags. This could result in integrity compromise and potential denial of service. No information disclosure or privilege escalation is indicated in the description [1].
Mitigation
The issue is fixed by adding a custom prime_handle_to_fd callback that prevents re-exporting of imported objects. The fix is included in commit [1] (mainline and likely backported to stable kernels). Users should update to a kernel version containing this commit.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
47dd57d7a63503756043dd6953756043dd6957dd57d7a6350Vulnerability mechanics
Root cause
"Missing restriction on re-exporting imported GEM buffers in the accel/ivpu driver, causing loss of buffer flags settings."
Attack vector
An attacker with access to the accel/ivpu device can import a GEM buffer (e.g., via dma-buf) and then re-export it using the prime handle-to-fd mechanism. This re-export causes the buffer's original flags settings to be lost, leading to incorrect device access and potential data corruption. The vulnerability is triggered through standard DRM/GEM prime operations without requiring special privileges beyond device access [patch_id=1215866][patch_id=1215867].
Affected code
The vulnerability affects the accel/ivpu driver's GEM object handling, specifically the prime export path. The patch introduces a new `ivpu_prime_handle_to_fd` callback that overrides the default DRM prime handle-to-fd behavior for ivpu GEM objects.
What the fix does
The patch adds a custom `prime_handle_to_fd` callback for the ivpu driver that checks whether the GEM object was imported (via `dma_buf`). If the object is imported, the callback returns `-EOPNOTSUPP`, preventing re-export. This closes the vulnerability by ensuring that imported buffers cannot be re-exported, preserving their original flags settings and preventing the data corruption that occurred when those flags were lost [patch_id=1215864][patch_id=1215865].
Preconditions
- authAttacker must have access to the accel/ivpu device (e.g., /dev/accel/ivpu*)
- inputAttacker must be able to import a GEM buffer and then attempt to re-export it via the prime handle-to-fd mechanism
Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.