Cyber Resilience

CVE-2026-23227

High

Published: 18 February 2026

Published
18 February 2026
Modified
18 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23227 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-23227 is a use-after-free vulnerability (CWE-416) in the Linux kernel's Exynos Virtual Display driver (drm/exynos: vidi), stemming from unprotected memory allocation and freeing operations on struct vidi_context member variables. Without proper lock protection via ctx->lock, concurrent access during operations like vidi_connection_ioctl and drm_mode_getconnector can lead to race conditions. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

A local attacker with low privileges can exploit this by triggering concurrent ioctls on the DRM device, such as vidi_connection_ioctl racing with drm_helper_probe_single_connector_modes via vidi_get_modes. In the described scenario, one thread allocates and assigns a drm_edid structure to ctx->raw_edid, while another frees it after a connection state change, allowing a third thread to duplicate and access the freed memory (e.g., via kmemdup), resulting in use-after-free. Successful exploitation could enable arbitrary code execution, data corruption, or system crashes within the kernel context.

Mitigation involves applying upstream kernel patches that enforce ctx->lock protection around memory alloc/free operations in vidi_context, as detailed in the referenced stable branch commits: 0cd2c155740d, 1b24d3e8792b, 52b330799e2d, 56966a4cfa92, and 60b75407c172. Security practitioners should update affected Linux kernels incorporating these fixes to prevent exploitation.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem.…

more

For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in DRM driver enables arbitrary code execution from low-privileged user context, mapping directly to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.6 — 6.12.77 · 6.13 — 6.18.11 · 6.19 — 6.19.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free by requiring timely patching of the Linux kernel to add ctx->lock protection around vidi_context memory alloc/free operations.

prevent

Prevents exploitation by prohibiting or restricting the Exynos VIDI driver when not required, avoiding execution of the vulnerable code paths.

prevent

Identifies vulnerable kernel versions affected by CVE-2026-23227 through vulnerability scanning, enabling proactive patching.

References