CVE-2026-46314
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Reject empty multisync extension to prevent infinite loop
v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard:
if (se->in_sync_count || se->out_sync_count) return -EINVAL;
The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely.
Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector.
Affected products
3Patches
6fb44d589bf31drm/v3d: Reject empty multisync extension to prevent infinite loop
1 file changed · +5 −1
drivers/gpu/drm/v3d/v3d_submit.c+5 −1 modifieddiff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 18f2bf1fe89fa..fc74351efad5c 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -393,6 +393,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_priv, if (multisync.pad) return -EINVAL; + if (!multisync.in_sync_count && !multisync.out_sync_count) { + drm_dbg(&v3d->drm, "Empty multisync extension\n"); + return -EINVAL; + } + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, multisync.out_syncs); if (ret) -- cgit 1.3-korg
9c5164781cb3drm/v3d: Reject empty multisync extension to prevent infinite loop
1 file changed · +5 −1
drivers/gpu/drm/v3d/v3d_submit.c+5 −1 modifieddiff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 18f2bf1fe89fa..fc74351efad5c 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -393,6 +393,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_priv, if (multisync.pad) return -EINVAL; + if (!multisync.in_sync_count && !multisync.out_sync_count) { + drm_dbg(&v3d->drm, "Empty multisync extension\n"); + return -EINVAL; + } + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, multisync.out_syncs); if (ret) -- cgit 1.3-korg
4fa42a249e8cdrm/v3d: Reject empty multisync extension to prevent infinite loop
1 file changed · +5 −1
drivers/gpu/drm/v3d/v3d_submit.c+5 −1 modifieddiff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index f3652e90683c3..23fa18e5e65c8 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -390,6 +390,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_priv, if (multisync.pad) return -EINVAL; + if (!multisync.in_sync_count && !multisync.out_sync_count) { + DRM_DEBUG("Empty multisync extension\n"); + return -EINVAL; + } + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, multisync.out_syncs); if (ret) -- cgit 1.3-korg
4fa42a249e8cdrm/v3d: Reject empty multisync extension to prevent infinite loop
1 file changed · +5 −1
drivers/gpu/drm/v3d/v3d_submit.c+5 −1 modifieddiff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index f3652e90683c3..23fa18e5e65c8 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -390,6 +390,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_priv, if (multisync.pad) return -EINVAL; + if (!multisync.in_sync_count && !multisync.out_sync_count) { + DRM_DEBUG("Empty multisync extension\n"); + return -EINVAL; + } + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, multisync.out_syncs); if (ret) -- cgit 1.3-korg
9c5164781cb3drm/v3d: Reject empty multisync extension to prevent infinite loop
1 file changed · +5 −1
drivers/gpu/drm/v3d/v3d_submit.c+5 −1 modifieddiff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 18f2bf1fe89fa..fc74351efad5c 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -393,6 +393,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_priv, if (multisync.pad) return -EINVAL; + if (!multisync.in_sync_count && !multisync.out_sync_count) { + drm_dbg(&v3d->drm, "Empty multisync extension\n"); + return -EINVAL; + } + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, multisync.out_syncs); if (ret) -- cgit 1.3-korg
fb44d589bf31drm/v3d: Reject empty multisync extension to prevent infinite loop
1 file changed · +5 −1
drivers/gpu/drm/v3d/v3d_submit.c+5 −1 modifieddiff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 18f2bf1fe89fa..fc74351efad5c 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -393,6 +393,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_priv, if (multisync.pad) return -EINVAL; + if (!multisync.in_sync_count && !multisync.out_sync_count) { + drm_dbg(&v3d->drm, "Empty multisync extension\n"); + return -EINVAL; + } + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, multisync.out_syncs); if (ret) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The v3d_get_extensions function allows a self-referential linked list of extensions with zero sync counts, bypassing a duplicate extension guard and causing an infinite loop."
Attack vector
A local user can trigger this vulnerability by crafting a self-referential extension within a singly-linked list passed to the v3d_get_extensions function. This crafted extension has both `in_sync_count` and `out_sync_count` set to zero. This bypasses an existing guard that checks for non-zero sync counts, leading to an infinite loop in kernel context [patch_id=5239708].
Affected code
The vulnerability resides in the `v3d_get_extensions` function, which processes a userspace-provided linked list of ioctl extensions. Specifically, the issue arises in `v3d_get_multisync_submit_deps` where the `in_sync_count` and `out_sync_count` fields are checked [patch_id=5239708].
What the fix does
The patch introduces a check in `v3d_get_multisync_submit_deps` to reject multisync extensions where both `in_sync_count` and `out_sync_count` are zero [patch_id=5239708]. This prevents the creation of empty multisync extensions, which have no synchronization purpose and were previously exploited to cause an infinite loop. By returning -EINVAL for such extensions, the vulnerability is mitigated.
Preconditions
- authThe attacker must have local user privileges.
- inputThe attacker must be able to craft and submit a malicious ioctl extension list.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
2- Google Android SDK: 10 Linux Kernel Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026