Skip to main content

Linux Kernel CVE-2026-43367

| EUVDEUVD-2026-28673 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-6782-3g9q-cmg4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 15:52 vuln.today
CVSS changed
May 15, 2026 - 15:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amd: Fix a few more NULL pointer dereference in device cleanup

I found a few more paths that cleanup fails due to a NULL version pointer on unsupported hardware.

Add NULL checks as applicable.

(cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2)

AnalysisAI

Null pointer dereference in Linux kernel's AMD DRM driver causes system crash during device cleanup on unsupported hardware. The flaw (CWE-476) affects multiple 6.18.x and 6.19.x kernel versions, allowing local authenticated users to trigger denial of service through AMD GPU driver initialization or cleanup operations. Patches available via kernel stable tree commits with EPSS score of 0.02% indicating minimal exploitation likelihood. No active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability exists in the Direct Rendering Manager (DRM) subsystem's AMD GPU driver module within the Linux kernel. The issue stems from inadequate null pointer validation during device cleanup routines. When the driver attempts cleanup operations on unsupported AMD hardware, a version pointer remains uninitialized (NULL), causing kernel panic when dereferenced. The fix adds defensive null checks before pointer access in cleanup code paths. This affects the kernel's graphics driver stack, specifically the amdgpu module responsible for managing AMD Radeon and RDNA GPU hardware. The vulnerability class CWE-476 (NULL Pointer Dereference) represents a common programming error where code fails to validate pointer initialization before use.

RemediationAI

Update to patched kernel versions: 6.18.19 or later for the 6.18.x series, 6.19.9 or later for the 6.19.x series. Upstream fixes are available in stable tree commits 72ecb1dae72775fa9fea0159d8445d620a0a2295, 38f1640db7f8bf57b9e09c5b0b8b205a598f1b3e, and 5edcb0d6729b88f192ec8b0896aaf581e3593c9c accessible at https://git.kernel.org/stable/. Distribution-specific patched kernels should be applied through standard package management (apt, yum, dnf). As a temporary workaround on systems with unsupported AMD hardware, blacklist the amdgpu kernel module via modprobe configuration (echo 'blacklist amdgpu' >> /etc/modprobe.d/blacklist.conf) to prevent driver loading-note this disables AMD GPU functionality entirely. Alternatively, restrict physical hardware access and monitor for unexpected kernel panics in dmesg logs. No firewall or network-level compensating controls apply given the local attack vector.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy