Use-after-free race in Linux kernel DRM change_handle

Repository contains a complete local privilege escalation exploit for CVE-2026-46215, a Linux kernel DRM GEM use-after-free in drm_gem_change_handle_ioctl. Structure is minimal: README.md documents the bug, affected/fixed versions, exploit chain, prerequisites, and expected output; poc.c implements the exploit in C; run_exploit.sh builds a static PoC plus a tiny initramfs and boots a vulnerable kernel in QEMU for reproduction. The exploit is not a scanner or detection script. It is an operational end-to-end LPE chain. In poc.c, two threads race DRM_IOCTL_GEM_CHANGE_HANDLE against DRM_IOCTL_GEM_CLOSE on a GEM object to create a dangling handle. The freed slab slot is reclaimed with sprayed pipe_buffer objects. A driver-specific info ioctl (virtio_gpu or nouveau) is then used to leak a kernel pointer from overlapped pipe_buf_ops, giving a KASLR bypass. Next, DRM_IOCTL_GEM_FLINK is used so the GEM object's name field overlaps pipe_buf flags, setting PIPE_BUF_FLAG_CAN_MERGE. Finally, writes to the prepared pipes are merged into the page cache of /etc/passwd, overwriting the root entry and removing its password field, yielding passwordless root. The code then verifies the file modification and spawns a shell. The bash wrapper is a reproducibility harness rather than the exploit itself. It compiles the PoC statically, creates a helper that drops to uid/gid 1000, builds an initramfs with busybox, creates a read-only /etc/passwd, and boots QEMU with virtio-gpu-pci, KVM, and nokaslr. Inside the guest it waits for /dev/dri/card0, chmods /dev/dri/* to make the device accessible, runs the exploit as an unprivileged user, and prints /etc/passwd before and after. Overall purpose: demonstrate reliable exploitation of the DRM GEM handle UAF to achieve unprivileged root on vulnerable Linux kernels with compatible DRM drivers.