{"api_version":"1","generated_at":"2026-05-06T13:23:27+00:00","cve":"CVE-2026-43236","urls":{"html":"https://cve.report/CVE-2026-43236","api":"https://cve.report/api/cve/CVE-2026-43236.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43236","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43236"},"summary":{"title":"drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release\n\nThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copying\nthe atmel_hlcdc_plane state structure without properly duplicating the\ndrm_plane_state. In particular, state->commit remained set to the old\nstate commit, which can lead to a use-after-free in the next\ndrm_atomic_commit() call.\n\nFix this by calling\n__drm_atomic_helper_duplicate_plane_state(), which correctly clones\nthe base drm_plane_state (including the ->commit pointer).\n\nIt has been seen when closing and re-opening the device node while\nanother DRM client (e.g. fbdev) is still attached:\n\n=============================================================================\nBUG kmalloc-64 (Not tainted): Poison overwritten\n-----------------------------------------------------------------------------\n\n0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b\nFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b\nAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0\npid=29\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_framebuffer_remove+0x4cc/0x5a8\n drm_mode_rmfb_work_fn+0x6c/0x80\n process_one_work+0x12c/0x2cc\n worker_thread+0x2a8/0x400\n kthread+0xc0/0xdc\n ret_from_fork+0x14/0x28\nFreed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0\npid=169\n drm_atomic_helper_commit_hw_done+0x100/0x150\n drm_atomic_helper_commit_tail+0x64/0x8c\n commit_tail+0x168/0x18c\n drm_atomic_helper_commit+0x138/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54\nSlab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0\nflags=0x200(workingset|zone=0)\nObject 0xc611b340 @offset=832 fp=0xc611b7c0","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 12:16:43","updated_at":"2026-05-06 13:07:51"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af","name":"https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d","name":"https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49","name":"https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47","name":"https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7","name":"https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb","name":"https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625","name":"https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee","name":"https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43236","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43236","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 fd4a4d0711f48a99b25bcd45e00eef8339eff82d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 6404898af86d986db1dbbe06177c143e40652e49 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 796e77c14c4c1e2cd36473760fb6cc66c695eb47 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ac2d898da5095d46bd1ff8585fdd753d58ad91e7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 a205740a7231e967ac77cb731171642901c327af git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 7b4d0fab3ff2c00c6d34e1952c9df5129a826aee git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 549c6db503dbb85dbff4840830971853feac6625 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 bc847787233277a337788568e90a6ee1557595eb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.252 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.202 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.165 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.128 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fd4a4d0711f48a99b25bcd45e00eef8339eff82d","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"6404898af86d986db1dbbe06177c143e40652e49","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"796e77c14c4c1e2cd36473760fb6cc66c695eb47","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"ac2d898da5095d46bd1ff8585fdd753d58ad91e7","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"a205740a7231e967ac77cb731171642901c327af","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"7b4d0fab3ff2c00c6d34e1952c9df5129a826aee","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"549c6db503dbb85dbff4840830971853feac6625","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"bc847787233277a337788568e90a6ee1557595eb","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.252","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.202","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.165","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.128","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.252","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.202","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.165","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.128","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release\n\nThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copying\nthe atmel_hlcdc_plane state structure without properly duplicating the\ndrm_plane_state. In particular, state->commit remained set to the old\nstate commit, which can lead to a use-after-free in the next\ndrm_atomic_commit() call.\n\nFix this by calling\n__drm_atomic_helper_duplicate_plane_state(), which correctly clones\nthe base drm_plane_state (including the ->commit pointer).\n\nIt has been seen when closing and re-opening the device node while\nanother DRM client (e.g. fbdev) is still attached:\n\n=============================================================================\nBUG kmalloc-64 (Not tainted): Poison overwritten\n-----------------------------------------------------------------------------\n\n0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b\nFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b\nAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0\npid=29\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_framebuffer_remove+0x4cc/0x5a8\n drm_mode_rmfb_work_fn+0x6c/0x80\n process_one_work+0x12c/0x2cc\n worker_thread+0x2a8/0x400\n kthread+0xc0/0xdc\n ret_from_fork+0x14/0x28\nFreed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0\npid=169\n drm_atomic_helper_commit_hw_done+0x100/0x150\n drm_atomic_helper_commit_tail+0x64/0x8c\n commit_tail+0x168/0x18c\n drm_atomic_helper_commit+0x138/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54\nSlab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0\nflags=0x200(workingset|zone=0)\nObject 0xc611b340 @offset=832 fp=0xc611b7c0"}],"providerMetadata":{"dateUpdated":"2026-05-06T11:28:31.543Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d"},{"url":"https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49"},{"url":"https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47"},{"url":"https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7"},{"url":"https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af"},{"url":"https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee"},{"url":"https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625"},{"url":"https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb"}],"title":"drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43236","datePublished":"2026-05-06T11:28:31.543Z","dateReserved":"2026-05-01T14:12:55.995Z","dateUpdated":"2026-05-06T11:28:31.543Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 12:16:43","lastModifiedDate":"2026-05-06 13:07:51","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43236","Ordinal":"1","Title":"drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after rel","CVE":"CVE-2026-43236","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43236","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release\n\nThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copying\nthe atmel_hlcdc_plane state structure without properly duplicating the\ndrm_plane_state. In particular, state->commit remained set to the old\nstate commit, which can lead to a use-after-free in the next\ndrm_atomic_commit() call.\n\nFix this by calling\n__drm_atomic_helper_duplicate_plane_state(), which correctly clones\nthe base drm_plane_state (including the ->commit pointer).\n\nIt has been seen when closing and re-opening the device node while\nanother DRM client (e.g. fbdev) is still attached:\n\n=============================================================================\nBUG kmalloc-64 (Not tainted): Poison overwritten\n-----------------------------------------------------------------------------\n\n0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b\nFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b\nAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0\npid=29\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_framebuffer_remove+0x4cc/0x5a8\n drm_mode_rmfb_work_fn+0x6c/0x80\n process_one_work+0x12c/0x2cc\n worker_thread+0x2a8/0x400\n kthread+0xc0/0xdc\n ret_from_fork+0x14/0x28\nFreed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0\npid=169\n drm_atomic_helper_commit_hw_done+0x100/0x150\n drm_atomic_helper_commit_tail+0x64/0x8c\n commit_tail+0x168/0x18c\n drm_atomic_helper_commit+0x138/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54\nSlab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0\nflags=0x200(workingset|zone=0)\nObject 0xc611b340 @offset=832 fp=0xc611b7c0","Type":"Description","Title":"drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after rel"}]}}}