CVE-2026-52965

Source
https://cve.org/CVERecord?id=CVE-2026-52965
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52965.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52965
Downstream
Published
2026-06-24T16:28:45.090Z
Modified
2026-07-08T08:09:44.319811746Z
Summary
drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix ttmboswapout() infinite LRU walk on swapout failure

When ttmttswapout() fails, the current code calls ttmresourceaddbulkmove() followed by ttmresourcemovetolrutail() to restore the resource's bulkmove membership.

However, ttmresourcemovetolrutail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource in front of the the hitch. The next listforeachentry_continue() from the hitch finds the same resource again, causing an infinite loop.

Fix by deferring delbulkmove to the success path only.

On the success path, TTMTTFLAGSWAPPED has just been set by ttmttswapout() but the resource is still tracked in the bulkmove range, so ttmresourcedelbulkmove()'s !ttmresourceunevictable() guard would incorrectly skip the removal. Introduce ttmresourcedelbulkmove_unevictable() which bypasses that guard.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52965.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fc5d96670eb2540d2572a14351e82ffe45d5ac11
Fixed
0124a09e3e5f5f6080efe9663b27af27933f8382
Fixed
b2ed01e7ad3de80333e9b962a44024b094bc0b2b

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52965.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52965.json"