{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78"
            },
            {
              "fixed": "11427ad6c9f0def5ce567982b785da3191946430"
            },
            {
              "fixed": "adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad"
            },
            {
              "fixed": "22922f7dae74409fc4bf0f1142710cb6b8ce8cc2"
            },
            {
              "fixed": "6b992591e04f2cce813bcf239b354f375bbf84d3"
            },
            {
              "fixed": "1da4ab7189f1064b3b712b388772c008b4d82580"
            },
            {
              "fixed": "1a17ea9861e89585361caa8bc231bd22dc6dbe7d"
            },
            {
              "fixed": "c5fc49d8470c5ebf3b41607600f277158f159950"
            },
            {
              "fixed": "3d4c2268bd7243c3780fe32bf24ff876da272acf"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.14.0"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.90"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.32"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46209.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()\n\ndrm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions\nusing plain integer division:\n\n  unsigned int width  = mode_cmd-\u003ewidth  / (i ? info-\u003ehsub : 1);\n  unsigned int height = mode_cmd-\u003eheight / (i ? info-\u003evsub : 1);\n\nHowever, the ioctl-level framebuffer_check() in drm_framebuffer.c uses\ndrm_format_info_plane_width/height() which round up dimensions via\nDIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object\nsize check for certain pixel format and dimension combinations.\n\nFor example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the\nGEM size validation path sees height=0 instead of height=1. The\nexpression (height - 1) then wraps to UINT_MAX as an unsigned int,\ncausing min_size to overflow and wrap back to a small value. A tiny\nGEM object therefore passes the size guard, yet when the GPU accesses\nthe chroma plane it will read or write memory beyond the object's\nbounds.\n\nFix by replacing the open-coded divisions with drm_format_info_plane_width()\nand drm_format_info_plane_height(), which use DIV_ROUND_UP() and match\nthe calculation already used in framebuffer_check().",
  "id": "CVE-2026-46209",
  "modified": "2026-07-08T05:37:11.132353931Z",
  "published": "2026-05-28T09:40:27.092Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/11427ad6c9f0def5ce567982b785da3191946430"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1da4ab7189f1064b3b712b388772c008b4d82580"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22922f7dae74409fc4bf0f1142710cb6b8ce8cc2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d4c2268bd7243c3780fe32bf24ff876da272acf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b992591e04f2cce813bcf239b354f375bbf84d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c5fc49d8470c5ebf3b41607600f277158f159950"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46209.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46209"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()"
}