{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "672464dd53231509c9c771110798c56d4660e19e"
            },
            {
              "fixed": "318b995cffcfcaa69a234d28123a3f4ae186a9df"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "61bd96d3e5472c253f9c1ab77608f0c8aaa9d025"
            },
            {
              "fixed": "38f12d0e10d83b66fa1466400d876a3a8da31542"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5e28b7b94408897e41c63477aabc9e1db439bc8c"
            },
            {
              "fixed": "dc366607c41c45fd0ae6f3db090f31dd611b644a"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.18.32"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "7.0.9"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52966.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Replace old pointer to new idr\n\nCommit 5e28b7b94408 introduced a logical error by failing to replace the\nnewly generated IDR pointer to old id's pointer at the correct location\nwithin the \"change handle\" logic; this resulted in the issue reported by\nsyzbot [1].\n\nSpecifically, the new IDR object pointer is intended to replace the original\nid's pointer during the normal execution flow.\n\nAdditionally, an unnecessary conditional check for the ret exit path has\nbeen removed.\n\n[1]\n!RB_EMPTY_ROOT(\u0026prime_fpriv-\u003edmabufs)\nWARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833\nCall Trace:\n drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269\n drm_file_free drivers/gpu/drm/drm_file.c:237 [inline]\n drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290\n drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438",
  "id": "CVE-2026-52966",
  "modified": "2026-07-12T03:55:17.795463160Z",
  "published": "2026-06-24T16:28:45.891Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/318b995cffcfcaa69a234d28123a3f4ae186a9df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38f12d0e10d83b66fa1466400d876a3a8da31542"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc366607c41c45fd0ae6f3db090f31dd611b644a"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52966.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52966"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "drm: Replace old pointer to new idr"
}