{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23317", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.995Z", "datePublished": "2026-03-25T10:27:11.884Z", "dateUpdated": "2026-04-13T06:04:16.604Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:04:16.604Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"], "versions": [{"version": "7ac9578e45b20e3f3c0c8eb71f5417a499a7226a", "lessThan": "ce3a5cf139787c186d5d54336107298cacaad2b9", "status": "affected", "versionType": "git"}, {"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50", "lessThan": "7e55d0788b362c93660b80cc5603031bbbdefa98", "status": "affected", "versionType": "git"}, {"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50", "lessThan": "36cb28b6d303a81e6ed4536017090e85e0143e42", "status": "affected", "versionType": "git"}, {"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50", "lessThan": "531f45589787799aa81b63e1e1f8e71db5d93dd1", "status": "affected", "versionType": "git"}, {"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50", "lessThan": "149f028772fa2879d9316b924ce948a6a0877e45", "status": "affected", "versionType": "git"}, {"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50", "lessThan": "5023ca80f9589295cb60735016e39fc5cc714243", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.7", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ce3a5cf139787c186d5d54336107298cacaad2b9"}, {"url": "https://git.kernel.org/stable/c/7e55d0788b362c93660b80cc5603031bbbdefa98"}, {"url": "https://git.kernel.org/stable/c/36cb28b6d303a81e6ed4536017090e85e0143e42"}, {"url": "https://git.kernel.org/stable/c/531f45589787799aa81b63e1e1f8e71db5d93dd1"}, {"url": "https://git.kernel.org/stable/c/149f028772fa2879d9316b924ce948a6a0877e45"}, {"url": "https://git.kernel.org/stable/c/5023ca80f9589295cb60735016e39fc5cc714243"}], "title": "drm/vmwgfx: Return the correct value in vmw_translate_ptr functions", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DEF25F5-7BE0-47C6-9F8F-D3CA62F09F1E", "versionEndExcluding": "6.1.167", "versionStartIncluding": "6.1.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1904C76C-974E-4DEA-9E2B-C26F3C5420AD", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/vmwgfx: Devolver el valor correcto en las funciones vmw_translate_ptr\n\nAntes de las correcciones referenciadas, estas funciones utilizaban una funci\u00f3n de b\u00fasqueda que devolv\u00eda un puntero. Esto fue cambiado a otra funci\u00f3n de b\u00fasqueda que devolv\u00eda un c\u00f3digo de error con el puntero convirti\u00e9ndose en un par\u00e1metro de salida.\n\nLa ruta de error cuando la b\u00fasqueda fallaba no fue cambiada para reflejar este cambio y el c\u00f3digo continu\u00f3 devolviendo el PTR_ERR del puntero ahora no inicializado. Esto podr\u00eda causar que las funciones vmw_translate_ptr devolvieran \u00e9xito cuando en realidad fallaron, causando accesos no inicializados y OOB adicionales."}], "id": "CVE-2026-23317", "lastModified": "2026-04-23T21:09:29.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:28.220", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/149f028772fa2879d9316b924ce948a6a0877e45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36cb28b6d303a81e6ed4536017090e85e0143e42"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5023ca80f9589295cb60735016e39fc5cc714243"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/531f45589787799aa81b63e1e1f8e71db5d93dd1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7e55d0788b362c93660b80cc5603031bbbdefa98"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ce3a5cf139787c186d5d54336107298cacaad2b9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions", "id": "2451188", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451188"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-390", "details": ["A flaw was found in the `drm/vmwgfx` component of the Linux kernel. Incorrect error handling in the `vmw_translate_ptr` functions could cause them to return a success status even when an internal lookup operation failed. This could lead to the use of uninitialized pointers and out-of-bounds (OOB) memory accesses, potentially resulting in system instability or information disclosure."], "name": "CVE-2026-23317", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23317\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23317\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23317-0e9e@gregkh/T"], "statement": "This flaw affects VMware graphics (vmwgfx) driver used in VMware virtual machines. The error handling regression causes failed lookups to incorrectly return success, leading to use of uninitialized pointers and potential OOB memory accesses. This affects systems running Linux guests in VMware environments with 3D acceleration enabled.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ac9578e45b20e3f3c0c8eb71f5417a499a7226a,ce3a5cf139787c186d5d54336107298cacaad2b9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a309c7194e8a2f8bd4539b9449917913f6c2cd50,7e55d0788b362c93660b80cc5603031bbbdefa98)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a309c7194e8a2f8bd4539b9449917913f6c2cd50,36cb28b6d303a81e6d4536017090e85e0143e42)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a309c7194e8a2f8bd4539b9449917913f6c2cd50,531f45589787799aa81b63e1e1f8e71db5d93dd1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a309c7194e8a2f8bd4539b9449917913f6c2cd50,149f028772fa2879d9316b924ce948a6a0877e45)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a309c7194e8a2f8bd4539b9449917913f6c2cd50,5023ca80f9589295cb60735016e39fc5cc714243)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T02:00:34.627838+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that contains the vmw_translate_ptr fixes.", "If an update is not immediately available, prevent the vmwgfx module from loading (e.g., add vmwgfx to /etc/modprobe.d/blacklist.conf).", "Monitor vendor advisories and schedule a kernel upgrade as soon as the patch reaches production."], "summary": {"action": "Apply Patch", "impact": "Kernel memory corruption"}, "threat_synthesis": {"affected_systems": "Any Linux system that loads the drm/vmwgfx driver is potentially affected. The kernel versions impacted are those prior to the patch that corrected the lookup return semantics; specific version ranges are not provided in the CNA data, so all earlier kernel releases are considered vulnerable.", "description_and_impact": "The vulnerability resides in the vmw_translate_ptr functions of the Linux kernel's drm/vmwgfx driver. The code change switched from returning a pointer to returning an error code with the pointer as an out parameter, but the error handling path was not updated. As a result, the function can return a PTR_ERR of an uninitialized pointer, causing the driver to report success when the lookup actually failed. This flaw can lead to uninitialized memory usage and out\u2011of\u2011bounds accesses inside the kernel, creating opportunities for memory corruption that could compromise confidentiality, integrity, or availability.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need the ability to invoke the drm/vmwgfx driver\u2019s translation functions, which typically requires local access or privilege escalation. The attack could result in arbitrary kernel memory corruption, leading to privilege escalation or denial\u2011of\u2011service."}}}}, "created": "2026-03-25T21:15:12.164683+00:00", "updated": "2026-04-29T02:15:47.416024+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}