AMD and Linux Kernel: Linux Kernel Vulnerability Enables Passwordless Root Through DRM Render Nodes

AMD and Linux Kernel: Linux Kernel Vulnerability Enables Passwordless Root Through DRM Render Nodes

Linux Kernel Privilege Escalation Flaw (CVE-2026-46215) Patched After Exploit Demo

A critical use-after-free vulnerability in the Linux kernel, tracked as CVE-2026-46215, allowed local users with GPU render node access to escalate privileges to root without special permissions. The flaw affected mainline kernels from v6.18-rc1 until a patch was released in late May 2026, following a report to security@kernel.org on 12 April 2026.

The bug resided in the DRM GEM core ioctl (DRM_IOCTL_GEM_CHANGE_HANDLE), introduced in v6.18-rc1 for AMD’s CRIU checkpoint/restore functionality. The ioctl moved a graphics buffer object between handles but failed to update its handle_count, creating a race condition. During a brief window, the object had two IDR (ID lookup) entries while its count remained at 1. If a second thread called DRM_IOCTL_GEM_CLOSE on the old handle, it would free the object while the new handle still referenced it.

Since both ioctls carried the DRM_RENDER_ALLOW flag, any process with access to /dev/dri/renderD* granted by default to logged-in users via systemd-logind could trigger the race.

Exploit Chain to Root

Cyberstan’s proof-of-concept demonstrated how the flaw could be weaponized:

  • Memory reclamation via sprayed pipe_buffer structures.
  • Kernel pointer leak to bypass KASLR.
  • PIPE_BUF_FLAG_CAN_MERGE manipulation to circumvent the 2022 DirtyPipe fix.
  • /etc/passwd overwrite via page cache, removing root’s password field.

The exploit succeeded in 99 out of 100 test boots, requiring fewer than 100 race iterations on average.

Discovery & Fix

Researcher Puttimet Thammasaeng initially reported the bug, receiving official CVE credit. A separate analysis by another researcher contributed additional exploit research. AMD’s David Francis and kernel maintainer Dave Airlie implemented a fix using a two-stage idr_replace operation to close the race window. For long-term mitigation, the GEM_CHANGE_HANDLE ioctl was disabled entirely in the upcoming 7.1 release, removing the vulnerable code path. Fixed kernel versions include 6.18.32, 7.0.9, and 7.1-rc3 onward.

The vulnerability highlights a recurring issue in kernel development: compound operations on refcounted objects where references are added, removed, and counted in separate steps, leaving gaps for concurrent teardown to free memory still in use. Subsystems bypassing established helper functions remain at risk for similar race conditions.

Source: https://cybersecuritynews.com/linux-kernel-bug-passwordless-root/

AMD cybersecurity rating report: https://www.rankiteo.com/company/amd

Kernel Foundation - Master Linux Kernel & LDD cybersecurity rating report: https://www.rankiteo.com/company/linux-kernel-foundation

"id": "AMDLIN1783614518",
"linkid": "amd, linux-kernel-foundation",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Linux kernels '
                                              'v6.18-rc1 to v6.18.31, v7.0.0 '
                                              'to v7.0.8',
                        'industry': 'Technology/Operating Systems',
                        'location': 'Global',
                        'name': 'Linux Kernel',
                        'type': 'Open-source software'}],
 'attack_vector': 'Local',
 'date_detected': '2026-04-12',
 'date_resolved': '2026-05-01',
 'description': 'A critical use-after-free vulnerability in the Linux kernel, '
                'tracked as CVE-2026-46215, allowed local users with GPU '
                'render node access to escalate privileges to root without '
                'special permissions. The flaw affected mainline kernels from '
                'v6.18-rc1 until a patch was released in late May 2026. The '
                'bug resided in the DRM GEM core ioctl '
                '(DRM_IOCTL_GEM_CHANGE_HANDLE), introduced in v6.18-rc1 for '
                'AMD’s CRIU checkpoint/restore functionality, which failed to '
                'update its handle_count, creating a race condition.',
 'impact': {'operational_impact': 'Privilege escalation to root access',
            'systems_affected': 'Linux kernels v6.18-rc1 to v6.18.31, v7.0.0 '
                                'to v7.0.8'},
 'investigation_status': 'Resolved',
 'lessons_learned': 'The vulnerability highlights recurring issues in kernel '
                    'development: compound operations on refcounted objects '
                    'where references are added, removed, and counted in '
                    'separate steps, leaving gaps for concurrent teardown to '
                    'free memory still in use. Subsystems bypassing '
                    'established helper functions remain at risk for similar '
                    'race conditions.',
 'post_incident_analysis': {'corrective_actions': 'Implemented two-stage '
                                                  'idr_replace operation to '
                                                  'close the race window; '
                                                  'disabled GEM_CHANGE_HANDLE '
                                                  'ioctl in kernel 7.1 '
                                                  'release.',
                            'root_causes': 'Use-after-free race condition in '
                                           'DRM GEM core ioctl due to improper '
                                           'handle_count updates during buffer '
                                           'object movement between handles.'},
 'recommendations': 'Apply patches to kernel versions 6.18.32, 7.0.9, or '
                    '7.1-rc3 onward. Disable the GEM_CHANGE_HANDLE ioctl in '
                    'future releases. Review kernel subsystems for similar '
                    'race conditions in refcounted object operations.',
 'references': [{'source': 'Linux Kernel Mailing List'},
                {'source': 'Cyberstan Proof-of-Concept'}],
 'response': {'containment_measures': 'Patch released in kernel versions '
                                      '6.18.32, 7.0.9, and 7.1-rc3 onward',
              'remediation_measures': 'Two-stage idr_replace operation to '
                                      'close the race window; '
                                      'GEM_CHANGE_HANDLE ioctl disabled in 7.1 '
                                      'release'},
 'title': 'Linux Kernel Privilege Escalation Flaw (CVE-2026-46215)',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'Use-after-free in DRM GEM core ioctl '
                            '(DRM_IOCTL_GEM_CHANGE_HANDLE)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.