Skip to main content

Linux Kernel CVE-2026-43237

| EUVDEUVD-2026-27796 HIGH
Use After Free (CWE-416)
2026-05-06 Linux GHSA-q8m3-r6x8-76gx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:41 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4

This commit simplifies the amdgpu_gem_va_ioctl function, key updates include:

  • Moved the logic for managing the last update fence directly into

amdgpu_gem_va_update_vm.

  • Introduced checks for the timeline point to enable conditional

replacement or addition of fences.

v2: Addressed review comments from Christian. v3: Updated comments (Christian). v4: The previous version selected the fence too early and did not manage its reference correctly, which could lead to stale or freed fences being used. This resulted in refcount underflows and could crash when updating GPU timelines. The fence is now chosen only after the VA mapping work is completed, and its reference is taken safely. After exporting it to the VM timeline syncobj, the driver always drops its local fence reference, ensuring balanced refcounting and avoiding use-after-free on dma_fence.

Crash signature: [ 205.828135] refcount_t: underflow; use-after-free. [ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... [ 206.074014] Call Trace: [ 206.076488] <TASK> [ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu] [ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm] [ 206.094415] drm_ioctl+0x26e/0x520 [drm] [ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu] [ 206.109387] __x64_sys_ioctl+0x96/0xe0 [ 206.113156] do_syscall_64+0x66/0x2d0 ... [ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90 ... [ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.553405] Call Trace: [ 206.553409] <IRQ> [ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched] [ 206.553424] dma_fence_signal+0x30/0x60 [ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched] [ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0 [ 206.553437] dma_fence_signal+0x30/0x60 [ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu] [ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu] [ 206.554353] edac_mce_amd(E) ee1004(E) [ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu] [ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu] [ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu] [ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0 [ 206.555506] handle_irq_event+0x38/0x80 [ 206.555509] handle_edge_irq+0x92/0x1e0 [ 206.555513] __common_interrupt+0x3e/0xb0 [ 206.555519] common_interrupt+0x80/0xa0 [ 206.555525] </IRQ> [ 206.555527] <TASK> ... [ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt

AnalysisAI

Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.

Technical ContextAI

This vulnerability affects the Direct Rendering Manager (DRM) subsystem's AMD GPU driver, specifically the amdgpu_gem_va_ioctl function responsible for GPU virtual address mapping operations. The underlying issue involves DMA fence lifecycle management in the kernel's graphics memory management subsystem. DMA fences are synchronization primitives used to coordinate GPU operations and memory access across multiple hardware contexts. The bug occurs when timeline point management logic selects and exports fences to VM timeline syncobjects before VA mapping work completes, and fails to properly acquire and release fence references. This creates a classic use-after-free condition where the kernel attempts to signal or manipulate fence objects after their memory has been freed, triggering refcount_t underflows detected by the kernel's reference counting infrastructure. The affected CPE strings (cpe:2.3:a:linux:linux) indicate this affects mainline Linux kernel implementations with AMD GPU driver support compiled in or loaded as a module.

RemediationAI

Update to patched Linux kernel versions: 6.18.16 or later in the 6.18 stable series, 6.19.6 or later in the 6.19 stable series, or 7.0 or later for mainline. Patch commits are available at https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba (6.18.16), https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f (6.19.6), and https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a (7.0) for manual backporting to custom kernels. If immediate patching is not feasible, consider these compensating controls with their trade-offs: (1) Restrict /dev/dri/card* and /dev/dri/renderD* device access to only trusted administrative users via udev rules - this prevents untrusted local users from triggering the vulnerable ioctl path, but breaks GPU functionality for standard users and container workloads requiring GPU access. (2) Unload or blacklist the amdgpu kernel module if AMD GPU functionality is not business-critical - eliminates attack surface entirely but disables all AMD GPU acceleration and display output on affected hardware. (3) In multi-tenant environments, disable GPU passthrough to guest VMs or containers until patching is complete - prevents untrusted tenants from accessing vulnerable driver code, but degrades performance for GPU-accelerated workloads. None of these mitigations are suitable for production systems requiring normal AMD GPU operation; prioritize kernel updates.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy