CVE-2026-46312

Source
https://cve.org/CVERecord?id=CVE-2026-46312
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46312.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46312
Downstream
Related
Published
2026-06-08T15:50:42.964Z
Modified
2026-07-10T03:54:46.236864161Z
Summary
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
Details

In the Linux kernel, the following vulnerability has been resolved:

media: videobuf2: Set vmaflags in vb2dmasgmmap

vb2dmacontig sets VMA flags VMDONTEXPAND and VMDONTDUMP and I do not see a reason why vb2dmasg should behave differently. This avoids hitting WARN_ON(!(vma->vm_flags & VM_DONTEXPAND)); in drmgemmmapobj() during mmap() of an imported dma-buf from the out of tree Apple ISP camera capture driver which uses vb2dmasgmemops.

gst-launch-1.0 v4l2src ! gtk4paintablesink

[ 38.201528] ------------[ cut here ]------------ [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drmgem.c:1144 drmgemmmapobj+0x1f8/0x210 [ 38.203278] Modules linked in: rfcomm sndseqdummy sndhrtimer sndseq sndseqdevice uinput nfconntracknetbiosns nfconntrackbroadcast nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 nftables qrtr bnep nlsascii i2cdev loop fuse dmmultipath nfnetlink brcmfmacwcc hidmagicmouse hcibcm4377 brcmfmac brcmutil bluetooth ecdhgeneric cfg80211 ecc btrfs xor xorneon rfkill hidapple raid6pq joydev aopals applenvmemspmi industrialio sndsocaop applez2 sndsoccs42l84 tps6598x sndsoctas2764 macsmcreboot spinor macsmchwmon rtcmacsmc gpiomacsmc macsmcpower regmapspmi macsmcinput dockchannelhid panelsummit appledrm nvmeapple dwc3 sndsocmacaudio drmclientlib nvmecore phyappleatc hwmon applesart appledockchannel macsmc applertkithelper spmiapplecontroller aop applewdt mfdcore nvmemappleefuses pinctrlapplegpio appleisp appledcp videobuf2dmasg muxcore spiapple [ 38.203300] videobuf2memops i2cpasemiplatform sndsocapplemca videobuf2v4l2 videodev clkapplenco videobuf2common sndpcmdmaengine adpdrm asahi appleadmac adpdrmmipi drmdmahelper pwmapple i2cpasemicore drmdisplayhelper mc cec appledart ofpart applesoccpufreq ledspwm phram [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full) [ 38.219040] Tainted: [W]=WARN [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 38.221088] pc : drmgemmmapobj+0x1f8/0x210 [ 38.221643] lr : drmgemmmapobj+0x78/0x210 [ 38.222178] sp : ffffc0008dc678e0 [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480 [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968 [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0 [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968 [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8 [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8 [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000 [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038 [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb [ 38.231488] Call trace: [ 38.231806] drmgemmmapobj+0x1f8/0x210 (P) [ 38.232342] drmgem_mmap+0x140/0x260 [ 38.232813] __mmapregion+0x488/0x9a0 [ 38.233277] mmapregion+0xd0/0x148 [ 38.233703] dommap+0x350/0x5c0 [ 38.234148] vmmmappgoff+0x14c/0x200 [ 38.234612] ksysmmap_pgoff+0x150/0x208 [ 38.235107] _arm64sysmmap+0x34/0x50 [ 38.235611] invokesyscall+0x50/0x120 [ 38.236075] el0svccommon.constprop.0+0x48/0xf0 [ 38.236680] doel0svc+0x24/0x38 [ 38.237113] el0svc+0x38/0x168 [ 38.237507] el0t64synchandler+0xa0/0xe8 [ 38.238034] el0t64sync+0x198/0x1a0 [ 38.238491] ---[ end trace 0000000000000000 ]---

There were discussions in [1] at the end of 2023 that mmap() on imported ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46312.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5ba3f757f0592ca001266b4a6214d0332349909c
Fixed
feb17524aa4ec337749344be0db52b88663e25ab
Fixed
1a1360264f699521e001e7739009ee3ee3c6a4f5
Fixed
21fade52ab9fb13368a5709e60b0d9909197aeae
Fixed
b4cf91658a636618f1437beec971dec25dec28eb
Fixed
7254b31a13aaa0c2c0f9ffbc335b718656117ff4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46312.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.39
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.90
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.32
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46312.json"