Skip to main content

Linux Kernel CVE-2026-31766

| EUVDEUVD-2026-26579 HIGH
2026-05-01 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:29 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26579
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: validate doorbell_offset in user queue creation

amdgpu_userq_get_doorbell_index() passes the user-provided doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds checking. An arbitrarily large doorbell_offset can cause the calculated doorbell index to fall outside the allocated doorbell BO, potentially corrupting kernel doorbell space.

Validate that doorbell_offset falls within the doorbell BO before computing the BAR index, using u64 arithmetic to prevent overflow.

(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)

AnalysisAI

Integer overflow in AMD GPU driver's user queue doorbell handling allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The amdgpu driver fails to validate user-supplied doorbell_offset values before calculating buffer offsets, enabling out-of-bounds writes to kernel doorbell space. Patches available in Linux 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, though CVSS 7.1 reflects serious local privilege escalation potential. No active exploitation confirmed; attack requires local authenticated access to systems with AMD GPU hardware.

Technical ContextAI

This vulnerability affects the AMD GPU kernel driver (amdgpu/DRM subsystem) in Linux, specifically the user queue doorbell management mechanism. Doorbells are hardware signaling constructs used for GPU-CPU communication-the GPU reads doorbell memory locations to detect work submissions. The vulnerable function amdgpu_userq_get_doorbell_index() accepts a user-controlled doorbell_offset parameter and passes it unchecked to amdgpu_doorbell_index_on_bar(), which calculates a BAR (Base Address Register) index into the doorbell buffer object (BO). Without bounds validation, an attacker-supplied offset can cause integer overflow in u64 arithmetic or simply reference memory beyond the allocated doorbell BO boundaries. Since kernel doorbells share proximity with user doorbells in GPU BAR space, this enables corruption of kernel-owned doorbell entries. The CPE identifiers indicate broad applicability across Linux kernel versions containing the amdgpu driver code path introduced in commit f09c1e6077ab. The fix (commit de1ef4ffd70e) adds explicit bounds checking using u64 arithmetic before index computation, ensuring doorbell_offset cannot exceed the allocated BO size.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.22 or later for the 6.18 stable branch, 6.19.12 or later for 6.19 stable, or 7.0 and above for mainline kernels. The fix (commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec, cherry-picked as commit 3543005a42d7 in stable) adds validation ensuring doorbell_offset remains within allocated buffer boundaries before index calculation. Patches available from https://git.kernel.org/stable/c/3543005a42d7e8e12b21897ef6798541bf7cbcd3 and related stable branch commits. For systems unable to immediately patch, consider disabling amdgpu user queue functionality if not operationally required, though this impacts GPU compute workloads relying on user-space queue submission. Restricting local user access to trusted accounts on multi-user AMD GPU systems provides defense-in-depth but does not eliminate risk from already-compromised low-privilege accounts. Monitor kernel logs for amdgpu driver errors or unexpected GPU resets as potential exploitation indicators. No compensating control fully mitigates the vulnerability without patching-user queue validation occurs in kernel space beyond userland controls.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy