A recently patched vulnerability in the Linux kernel, identified as CVE-2026-46215, allowed local users with access to GPU render nodes to escalate their privileges to root without requiring any special permissions. This flaw affected mainline kernels from version 6.18-rc1 until its resolution in late May 2026.
The issue originated from a use-after-free error in the Direct Rendering Manager (DRM) Graphics Execution Manager (GEM) core ioctl function `DRM_IOCTL_GEM_CHANGE_HANDLE`. Introduced in version 6.18-rc1 to support AMD’s Checkpoint/Restore In Userspace (CRIU) work, this function moves a graphics buffer object from one handle to another but fails to update the object’s `handle_count`. Consequently, during a brief window, the object possesses two IDR (ID lookup) entries while its handle count remains at one. If a second thread invokes `DRM_IOCTL_GEM_CLOSE` on the old handle during this window, it reduces the count to zero and frees the object, leaving the new handle pointing to now-freed memory.
Both ioctls carry the `DRM_RENDER_ALLOW` flag, meaning any process capable of opening `/dev/dri/renderD*` can trigger this race condition. On most desktop Linux systems, `systemd-logind` grants this access to any logged-in user by default, broadening the potential attack surface.
Exploitation Leading to Root Access
Security researchers developed a proof-of-concept exploit that chains several techniques to leverage the freed object into full root access:
- Reclaiming the freed memory slot using a sprayed array of `pipe_buffer` structures.
- Leaking a kernel pointer through overlapping struct fields to defeat Kernel Address Space Layout Randomization (KASLR).
- Setting `PIPE_BUF_FLAG_CAN_MERGE` via a GEM object naming trick, bypassing the 2022 DirtyPipe fix.
- Overwriting the read-only `/etc/passwd` file through the page cache, effectively removing the root user’s password field.
In testing, the exploit succeeded 99 times out of 100, typically requiring fewer than 100 race iterations to achieve root access.
Reporting and Mitigation
Researcher Puttimet Thammasaeng first reported the vulnerability and received the official CVE credit and upstream acknowledgment. Independently, another researcher discovered and reported the same issue, contributing separate exploit research.
AMD’s David Francis and kernel maintainer Dave Airlie addressed the flaw by implementing a fix that closes the race window with a two-stage `idr_replace` operation, which rolls back cleanly if a concurrent close operation wins the race. Additionally, kernel maintainers disabled the `GEM_CHANGE_HANDLE` ioctl entirely in the upcoming 7.1 release, removing the vulnerable code path altogether. Fixed versions include 6.18.32, 7.0.9, and 7.1-rc3 onward.
This vulnerability underscores a recurring pattern in kernel bugs: compound operations on reference-counted objects where references are added, removed, and counted in separate steps, creating windows where concurrent teardown can free memory still in use. Subsystems that bypass established helper functions for this bookkeeping remain at risk of similar race conditions.
For system administrators and users, this incident highlights the critical importance of timely kernel updates and vigilant monitoring of security advisories. Ensuring that systems are patched promptly can mitigate the risks associated with such vulnerabilities, which can have severe implications for system integrity and security.