Skip to main content

Linux Kernel amdgpu CVE-2026-43398

| EUVDEUVD-2026-28704 MEDIUM
2026-05-08 Linux GHSA-wv9h-grcg-85wc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 19:38 vuln.today
CVSS changed
May 21, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: add upper bound check on user inputs in wait ioctl

Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and could be exploited.

So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM.

v2: squash in Srini's fix

(cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476)

AnalysisAI

Out-of-memory exploitation in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to crash or destabilize a system by supplying oversized input values to the amdgpu_userq_wait_ioctl interface. Systems running affected kernel versions with AMD GPU hardware are vulnerable to availability loss. No public exploit code has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; this is not confirmed actively exploited (not in CISA KEV).

Technical ContextAI

The vulnerability resides in the drm/amdgpu kernel subsystem, specifically the amdgpu_userq_wait_ioctl function responsible for handling AMD GPU user queue wait operations. The root cause is an absence of an upper bound check on user-supplied handle count values before memory allocation proceeds - a pattern consistent with CWE-770 (Allocation of Resources Without Limits or Throttling) or CWE-1284 (Improper Validation of Specified Quantity in Input), though NVD lists CWE as N/A. The fix introduces a validation gate against the AMDGPU_USERQ_MAX_HANDLES constant, which the upstream commit notes is 'big enough for genuine use cases' while preventing pathological allocations. Affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covering kernel versions from the initial commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) up to the patched stable releases.

RemediationAI

Upgrade to Linux kernel 6.18.19, 6.19.9, or 7.0, each of which contains the upstream fix (cherry-picked from mainline commit fcec012c664247531aed3e662f4280ff804d1476). Stable-tree patch commits are available at https://git.kernel.org/stable/c/64ac7c09fc44985ec9bb6a9db740899fa40ca613 (6.18.x), https://git.kernel.org/stable/c/3cd93bc695b3456f26f5ed52753d9071da26202a (6.19.x), and https://git.kernel.org/stable/c/b1d10508da559da2e0ca9cca6505094a7df948e1 (mainline). As a compensating control before patching, restrict access to AMD GPU device nodes (/dev/dri/cardX, /dev/dri/renderDX) by tightening udev rules or group membership (e.g., removing untrusted users from the 'render' or 'video' group) - this prevents unprivileged local users from issuing the ioctl. Trade-off: this may break legitimate GPU-accelerated workloads for those users. Blacklisting the amdgpu module is a last-resort option that would entirely prevent GPU hardware access.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy