CVE-2026-46312
Description
Linux kernel's videobuf2 component had a vulnerability allowing a warning to be triggered during mmap operations, potentially impacting DMA-buf handling.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel's videobuf2 component had a vulnerability allowing a warning to be triggered during mmap operations, potentially impacting DMA-buf handling.
Vulnerability
The Linux kernel's videobuf2 component, specifically within vb2_dma_sg_mmap, had a vulnerability where it did not set the VM_DONTEXPAND and VM_DONTDUMP VMA flags, unlike vb2_dma_contig. This could lead to a WARN_ON condition in drm_gem_mmap_obj() when an imported dma-buf was mmap'd using vb2_dma_sg_memops, as seen with the out-of-tree Apple ISP camera capture driver [1].
Exploitation
An attacker would need to trigger an mmap() operation on an imported dma-buf that utilizes the vb2_dma_sg_memops. This scenario was observed when using the gst-launch-1.0 command with v4l2src and gtk4paintablesink, which can be initiated by a local user with the ability to run specific multimedia applications [1].
Impact
The vulnerability results in a kernel warning, WARNING: CPU: 7 PID: 2362 Comm: gst-launch-1.0 Ta…, indicating a potential issue in memory management during the mapping of DMA buffers. While the immediate impact is a warning, it suggests a possible instability or unintended behavior in how memory is handled, which could potentially be leveraged for further system compromise, though this is not explicitly detailed in the references [1].
Mitigation
This vulnerability has been resolved in the Linux kernel. The fix involves setting the vma_flags in vb2_dma_sg_mmap. The specific patched commit is available for review [1]. No specific version information for the fix is provided, but it is considered resolved as of the publication date of the references.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
1021fade52ab9fmedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index b3bf2173c14e1..7c30731cb9a57 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
1a1360264f69media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index a5aa6a2a028cb..94239f914120c 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
feb17524aa4emedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index a5aa6a2a028cb..94239f914120c 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
7254b31a13aamedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index 982021d547e53..b1d0695cda260 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
b4cf91658a63media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index 982021d547e53..b1d0695cda260 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
feb17524aa4emedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index a5aa6a2a028cb..94239f914120c 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
1a1360264f69media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index a5aa6a2a028cb..94239f914120c 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
7254b31a13aamedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index 982021d547e53..b1d0695cda260 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
b4cf91658a63media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index 982021d547e53..b1d0695cda260 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
21fade52ab9fmedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap
1 file changed · +1 −1
drivers/media/common/videobuf2/videobuf2-dma-sg.c+1 −1 modifieddiff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index b3bf2173c14e1..7c30731cb9a57 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -345,6 +345,7 @@ static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) return err; } + vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); /* * Use common vm_area operations to track buffer refcount. */ -- cgit 1.3-korg
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
5- git.kernel.org/stable/c/1a1360264f699521e001e7739009ee3ee3c6a4f5nvd
- git.kernel.org/stable/c/21fade52ab9fb13368a5709e60b0d9909197aeaenvd
- git.kernel.org/stable/c/7254b31a13aaa0c2c0f9ffbc335b718656117ff4nvd
- git.kernel.org/stable/c/b4cf91658a636618f1437beec971dec25dec28ebnvd
- git.kernel.org/stable/c/feb17524aa4ec337749344be0db52b88663e25abnvd
News mentions
2- Google Android SDK: 10 Linux Kernel Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026