Skip to main content

Linux CVE-2026-23468

| EUVDEUVD-2026-18736 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-03 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
6270b1a5dab94665d7adce3dc78bc9066ed28bdd,5ce4a38e6c2488949e373d5066303f9c128db614
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18736
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Limit BO list entry count to prevent resource exhaustion

Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times.

Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance.

Return -EINVAL if the requested entry count exceeds the limit

(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)

AnalysisAI

Denial of service in Linux kernel amdgpu driver allows local attackers to exhaust system memory by passing an arbitrarily large BO (buffer object) list entry count via userspace, bypassing existing overflow checks but causing excessive allocation and processing delays; fixed by enforcing a 128k entry limit per BO list.

Technical ContextAI

The AMD GPU (amdgpu) driver in the Linux kernel processes buffer object (BO) lists submitted from userspace via the bo_number field. Although multiplication overflow protection was in place, this did not prevent a malicious or buggy userspace application from specifying an extremely large entry count, resulting in multi-gigabyte memory allocations and prolonged list iteration. The vulnerability exploits the gap between overflow prevention and resource exhaustion prevention. The fix implements a hard upper limit of 131,072 (128k) entries per BO list, a threshold deemed sufficient for legitimate graphics workloads while eliminating the attack surface for memory exhaustion. This is a bounds-checking deficiency (CWE-190-adjacent, regarding resource limits rather than arithmetic overflow specifically).

RemediationAI

Apply the Linux kernel patch fixing the amdgpu BO list entry count validation; the specific fix is committed in stable branches at commit 5ce4a38e6c2488949e373d5066303f9c128db614 and related backports (f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9, 6270b1a5dab94665d7adce3dc78bc9066ed28bdd). Users should update to a kernel version containing these fixes via distribution package managers or direct kernel rebuild from kernel.org. No workaround is available for systems that cannot immediately patch; restricting execution of untrusted userspace applications may reduce exposure. Verification can be performed by checking kernel logs for rejection of BO list entries exceeding 128k, or by reviewing kernel source for the presence of the hardcoded limit in the amdgpu driver's BO list processing code.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.145 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.162 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.176 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.125 Affected
Image SLES-Azure-Basic Image SLES-EC2 Image SLES-Hardened-BYOS-Azure Image SLES-SAPCAL-Azure Affected
Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Affected

Share

CVE-2026-23468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy