CVE-2022-50528
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leakage This patch fixes potential memory leakage and seg fault in _gpuvm_import_dmabuf() function
Analysis
A memory leakage and potential segmentation fault vulnerability exists in the Linux kernel's AMD KFD (Kernel Fusion Driver) GPU memory management subsystem, specifically in the _gpuvm_import_dmabuf() function. The vulnerability affects Linux kernel versions across multiple branches and can be exploited by local users with low privilege levels to cause denial of service through memory corruption. Patches are available from the Linux kernel stable branches, and while the EPSS score is very low (0.01%, percentile 3%), the vulnerability has moderate CVSS severity (5.5) due to its ability to cause system availability impact.
Technical Context
This vulnerability resides in the AMD KFD GPU virtualization memory management code (drm/amdkfd subsystem) within the Linux kernel. The root cause is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), indicating improper cleanup of dynamically allocated memory within the _gpuvm_import_dmabuf() function. When processing DMA buffer imports for GPU virtual memory, the function fails to properly release allocated memory under certain error conditions, leading to heap corruption and potential segmentation faults. AMD KFD is a core component of AMD GPU support in Linux, affecting systems with AMD GPUs that rely on kernel-level memory management for GPU-CPU coherence. The affected product is the Linux kernel itself (identified via multiple CPE entries for linux:linux_kernel), which is the foundational operating system component used across virtually all Linux distributions.
Affected Products
The Linux kernel across multiple stable branches and versions is affected, as indicated by the CPE specifications (cpe:2.3:o:linux:linux_kernel). The vulnerability has been patched in multiple kernel stable branches with commits 7356d8e367d0e025a568e369c4cf575722cac60f, 75818afff631e1ea785a82c3e8bb82eb0dee539c, 8876793e56ec69b3be2a883b4bc440df3dbb1865, and c65564790048fa416ccd26a8945c7ec0cf9ef0b7 available from the Linux kernel stable repository at https://git.kernel.org/stable/. Specific affected kernel versions are not enumerated in the provided data, but users running pre-patch versions of the Linux kernel with AMD GPU support (particularly those with AMD Radeon GPUs or AMDGPU driver support) are at risk. Distribution maintainers have released corresponding kernel updates addressing this CVE.
Remediation
The primary remediation is to upgrade the Linux kernel to a patched version containing one of the four stable commits addressing the memory leak in _gpuvm_import_dmabuf(). Users should check their distribution's kernel updates and apply the latest available kernel version from their vendor (e.g., Ubuntu kernel security updates, Red Hat RHSA advisories, Debian security updates). The patches are available upstream in the Linux kernel stable branches at https://git.kernel.org/stable/. For systems unable to immediately patch, the vulnerability only affects systems with AMD GPUs actively using kernel mode GPU memory management; systems without AMD GPUs or running integrated graphics are unaffected. Administrators should prioritize patching systems that run workloads requiring GPU acceleration, such as machine learning platforms, compute servers, or workstations with dedicated AMD GPUs.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today