CVE-2026-23227
Published: 18 February 2026
Summary
CVE-2026-23227 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23227 is a use-after-free vulnerability (CWE-416) in the Linux kernel's Exynos Virtual Display driver (drm/exynos: vidi), stemming from unprotected memory allocation and freeing operations on struct vidi_context member variables. Without proper lock protection via ctx->lock, concurrent access during operations like vidi_connection_ioctl and drm_mode_getconnector can lead to race conditions. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
A local attacker with low privileges can exploit this by triggering concurrent ioctls on the DRM device, such as vidi_connection_ioctl racing with drm_helper_probe_single_connector_modes via vidi_get_modes. In the described scenario, one thread allocates and assigns a drm_edid structure to ctx->raw_edid, while another frees it after a connection state change, allowing a third thread to duplicate and access the freed memory (e.g., via kmemdup), resulting in use-after-free. Successful exploitation could enable arbitrary code execution, data corruption, or system crashes within the kernel context.
Mitigation involves applying upstream kernel patches that enforce ctx->lock protection around memory alloc/free operations in vidi_context, as detailed in the referenced stable branch commits: 0cd2c155740d, 1b24d3e8792b, 52b330799e2d, 56966a4cfa92, and 60b75407c172. Security practitioners should update affected Linux kernels incorporating these fixes to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7674
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem.…
more
For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ... ``` To prevent these vulns, at least in vidi_context, member variables related to memory alloc/free should be protected with ctx->lock.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in DRM driver enables arbitrary code execution from low-privileged user context, mapping directly to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the use-after-free by requiring timely patching of the Linux kernel to add ctx->lock protection around vidi_context memory alloc/free operations.
Prevents exploitation by prohibiting or restricting the Exynos VIDI driver when not required, avoiding execution of the vulnerable code paths.
Identifies vulnerable kernel versions affected by CVE-2026-23227 through vulnerability scanning, enabling proactive patching.