CVE-2026-53378 in Linuxinfo

Summary

by MITRE • 07/19/2026

In the Linux kernel, the following vulnerability has been resolved:

drm/colorop: Fix blob property reference tracking in state lifecycle

The colorop state blob property handling had memory leaks during state duplication, destruction, and reset operations. The implementation failed to follow the established pattern from drm_crtc's handling of DEGAMMA/GAMMA blob properties.

Issues fixed: - drm_colorop_atomic_destroy_state() was freeing state memory without releasing the blob reference, causing a leak - drm_colorop_reset() was directly freeing old state with kfree() instead of properly destroying it, leaking blob references - drm_colorop_cleanup() had duplicate blob cleanup code

Changes: - Add __drm_atomic_helper_colorop_destroy_state() helper to properly release blob references before freeing state memory - Update drm_colorop_atomic_destroy_state() to call the helper - Fix drm_colorop_reset() to use drm_colorop_atomic_destroy_state() for proper cleanup of old state - Simplify drm_colorop_cleanup() to use the common destruction path

This matches the well-tested pattern used by drm_crtc since 2016 and ensures proper reference counting throughout the state lifecycle.

Co-developed by Claude Sonnet 4.5.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/19/2026

The vulnerability in question affects the linux kernel's direct rendering manager subsystem specifically within the colorop state blob property handling mechanism. This issue represents a memory management flaw that occurs during the lifecycle operations of graphics state objects, where reference counting mechanisms fail to properly track and release blob references. The problem manifests as memory leaks that accumulate over time during graphics state duplication, destruction, and reset operations, potentially leading to system resource exhaustion and degraded performance in graphics-intensive applications.

The technical root cause stems from improper implementation of the atomic state management pattern within the drm_colorop subsystem. Unlike the established drm_crtc handling of DEGAMMA/GAMMA blob properties that has been tested and validated since 2016, the colorop implementation failed to maintain proper reference counting throughout the state lifecycle operations. The drm_colorop_atomic_destroy_state function was directly freeing memory without releasing associated blob references, creating memory leaks that persist until system reboot. Additionally, the drm_colorop_reset function employed incorrect cleanup methodology by using kfree() directly on old state objects instead of properly invoking the atomic destruction helper, which would have ensured proper reference release.

The operational impact of this vulnerability extends beyond simple memory leaks to potentially affect system stability and graphics performance in environments utilizing the linux kernel's drm subsystem. When graphics applications repeatedly create and destroy colorop state objects during normal operation, the accumulated memory leaks can eventually consume significant system resources and may lead to application crashes or system instability. The issue affects graphics drivers that implement color operations through the drm framework, particularly those using atomic commit mechanisms for state management.

The fix implements a comprehensive solution by introducing the __drm_atomic_helper_colorop_destroy_state() helper function that properly releases blob references before freeing state memory, ensuring reference counting integrity throughout the cleanup process. This approach aligns with industry standards and best practices established in the drm subsystem since 2016, specifically following the well-tested patterns used by drm_crtc for handling DEGAMMA/GAMMA blob properties. The implementation now properly coordinates between drm_colorop_atomic_destroy_state(), drm_colorop_reset(), and drm_colorop_cleanup() functions to ensure consistent reference management across all state lifecycle operations.

This vulnerability resolution addresses a CWE-401: Improper Release of Memory Before Removing Last Reference, which represents a fundamental memory management issue in kernel space code. The fix pattern also aligns with ATT&CK framework techniques related to system resource exhaustion and kernel memory corruption vulnerabilities. By standardizing the cleanup methodology across all state operations, the implementation ensures proper reference counting and prevents the accumulation of unreleased references that could lead to both immediate memory leaks and long-term system stability issues. The solution maintains compatibility with existing graphics driver interfaces while providing robust memory management throughout the drm colorop subsystem's operational lifecycle.

The changes implemented represent a significant improvement over previous code patterns by establishing a consistent destruction path that properly manages blob reference counts during all state operations. This approach eliminates duplicate cleanup code in drm_colorop_cleanup() and ensures that all cleanup operations flow through the same standardized helper function, reducing the potential for similar issues to arise in future modifications. The fix demonstrates proper adherence to kernel development best practices for atomic state management and memory resource handling within graphics subsystems, ensuring that blob references are properly tracked and released throughout the complete state lifecycle from creation to destruction.

Responsible

Linux

Reservation

06/09/2026

Disclosure

07/19/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!