CVE-2026-46065 PUBLISHED

fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info

Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal.

Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 60b59beafba875aef6d378078bce0baf2287ae14 to 2a40f8bc9bb713329f1c35ffc199ee961a7135b0 (excl.)
  • affected from 60b59beafba875aef6d378078bce0baf2287ae14 to 2b53d3a52e8e5403a4f4fb57ac6cad3fd2cb1066 (excl.)
  • affected from 60b59beafba875aef6d378078bce0baf2287ae14 to 25c2b77bc463f29ee71a54b883548baf9386a0db (excl.)
  • affected from 60b59beafba875aef6d378078bce0baf2287ae14 to a0aafb421dd15e935d81543152617f2742cefa70 (excl.)
  • affected from 60b59beafba875aef6d378078bce0baf2287ae14 to 9ded47ad003f09a94b6a710b5c47f4aa5ceb7429 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.22 is affected
  • unaffected from 0 to 2.6.22 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.88 to 6.12.* (incl.)
  • unaffected from 6.18.30 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References