CVE-2026-46314

Source
https://cve.org/CVERecord?id=CVE-2026-46314
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46314.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46314
Downstream
Related
Published
2026-06-08T15:50:45.305Z
Modified
2026-07-10T03:54:24.657189411Z
Summary
drm/v3d: Reject empty multisync extension to prevent infinite loop
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Reject empty multisync extension to prevent infinite loop

v3dgetextensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero insynccount and outsynccount, which bypasses the existing duplicate- extension guard:

if (se->in_sync_count || se->out_sync_count)
        return -EINVAL;

The guard never fires because v3dgetmultisyncpostdeps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely.

Fix this by rejecting a multisync extension where both insynccount and outsynccount are zero in v3dgetmultisyncsubmitdeps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46314.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e4165ae8304e5ea822fbe5909dd3be5445c058b7
Fixed
309abbddeca0c12714721928a819ef45e5710998
Fixed
4fa42a249e8cd6ed17aea04e5695b6e9001f2433
Fixed
9c5164781cb388d219d8f49fa0f0b04cf86ad544
Fixed
fb44d589bf3148e13452185a6e772a7efbf2d684

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46314.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46314.json"