Linux Kernel Vulnerability CVE-2026-46215 Allows Passwordless Root Access via DRM Render Nodes
A critical use-after-free vulnerability in the Linux kernel's DRM GEM core, CVE-2026-46215, allows local users with GPU render node access to escalate privileges to root.

A significant vulnerability, identified as CVE-2026-46215, has been discovered and patched within the Linux kernel's Direct Rendering Manager (DRM) GEM core. This flaw permits any local user with access to a GPU render node to escalate their privileges to root, effectively bypassing all security restrictions without needing any special permissions. The vulnerability, present in mainline kernels from version v6.18-rc1 up to the point of the fix, was reported to kernel security channels in April 2026, with a patch being integrated in late May 2026.
The technical root of the problem lies in a use-after-free condition within the DRM_IOCTL_GEM_CHANGE_HANDLE ioctl. This specific ioctl, introduced in v6.18-rc1 to support AMD's CRIU checkpoint/restore functionality, is designed to move graphics buffer objects between handles. However, it fails to correctly update the object's internal handle count. This oversight creates a narrow but exploitable race condition: for a brief period, an object can have two entries in the IDR (ID lookup) table while its handle count incorrectly indicates only one. If a second thread attempts to close the old handle during this window, it decrements the count to zero and frees the object, even though the new handle still points to the now-deallocated memory.
Crucially, both the GEM_CHANGE_HANDLE and GEM_CLOSE ioctls are flagged with DRM_RENDER_ALLOW. This means that any process capable of opening a device node under /dev/dri/renderD* can trigger this race condition. On most desktop Linux installations, the systemd-logind service grants this render node access to any logged-in user by default, significantly broadening the potential attack surface.
Researchers have developed a proof-of-concept exploit that chains several advanced techniques to transform the freed memory into full root access. The exploit first reclaims the freed memory slot using a sprayed array of pipe_buffer structures. It then leaks a kernel pointer through overlapping structure fields, which helps bypass Kernel Address Space Layout Randomization (KASLR). By employing a GEM object naming trick, the exploit sets the PIPE_BUF_FLAG_CAN_MERGE flag, effectively circumventing the protections introduced by the 2022 DirtyPipe vulnerability. Finally, the attacker overwrites the /etc/passwd file via the page cache, removing the password field for the root user and enabling passwordless root login.
Testing demonstrated the exploit's high reliability, succeeding in 99 out of 100 boots with an average of fewer than 100 race iterations required to achieve success. While researcher Puttimet Thammasaeng initially reported the bug and received the official CVE credit and upstream attribution, the author of the analysis independently discovered and reported the flaw, contributing separate exploit research. The fix, developed by AMD's David Francis and kernel maintainer Dave Airlie, employs a two-stage idr_replace operation to close the race window, ensuring a clean rollback if a concurrent close operation wins the race.
In a further effort to mitigate risks, kernel maintainers have decided to disable the GEM_CHANGE_HANDLE ioctl entirely in the upcoming Linux kernel 7.1 release. This drastic measure removes the vulnerable code path altogether, providing a more robust solution than simply patching the race condition. Fixed versions include 6.18.32, 7.0.9, and 7.1-rc3 and later.
This vulnerability highlights a persistent pattern of bugs within the Linux kernel: compound operations on reference-counted objects where adding, removing, and counting references are handled in separate steps. This can create windows where concurrent operations can lead to memory being freed while still in use, a risk that subsystems neglecting established helper functions for bookkeeping are particularly susceptible to. The incident serves as a stark reminder of the ongoing need for rigorous code review and secure development practices in kernel-level programming.