Skip to main content

Linux Kernel CVE-2026-43399

| EUVDEUVD-2026-28705 MEDIUM
2026-05-08 Linux GHSA-wmw9-c68x-2mg9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 19:39 vuln.today
CVSS changed
May 21, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl

Drop reference to syncobj and timeline fence when aborting the ioctl due output array being too small.

(cherry picked from commit 68951e9c3e6bb22396bc42ef2359751c8315dd27)

AnalysisAI

Reference leak in the Linux kernel's amdgpu userqueue subsystem allows a local low-privileged user to exhaust kernel resources by repeatedly triggering an early-abort code path in amdgpu_userq_wait_ioctl. When the ioctl aborts because the caller-supplied output array is too small, the kernel omits required reference drops on syncobj and timeline fence objects, preventing those objects from ever being freed. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (4th percentile), signaling negligible real-world exploitation activity.

Technical ContextAI

The vulnerability resides in the Direct Rendering Manager (DRM) subsystem of the Linux kernel, specifically within the amdgpu driver's user queue (userq) implementation at the amdgpu_userq_wait_ioctl code path. Sync objects (syncobj) and timeline fences are kernel primitives used to serialize GPU command submission; each holds a reference count that must be explicitly decremented when no longer needed. When the ioctl detects that the caller's output buffer is too small and returns early, the code omits the requisite drm_syncobj_put() and timeline fence reference decrement calls, constituting a resource management flaw equivalent to CWE-401 (Missing Release of Memory or Resource After Effective Lifetime). The fix was cherry-picked from upstream commit 68951e9c3e6bb22396bc42ef2359751c8315dd27. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. The 'Information Disclosure' tag present in source metadata is inconsistent with the CVSS C:N vector and the description - that tag appears to be a metadata artifact and should not influence triage.

RemediationAI

The vendor-released patches are available in Linux stable kernels 6.18.19 and 6.19.9, and in the Linux 7.0 line. Upstream fix commits are published at https://git.kernel.org/stable/c/49abfa812617a7f2d0132c70d23ac98b389c6ec1 (6.18 branch), https://git.kernel.org/stable/c/762f47e2b824383d5be65eee2c40a1269b7d50c8 (6.19 branch), and https://git.kernel.org/stable/c/5409247d41f372bec5b141ef599f2d9f5e81b746 (7.0 branch). Distribution-specific kernel updates from Red Hat, Ubuntu, SUSE, and others should be monitored for backport availability. If immediate patching is not feasible on systems where untrusted local users have GPU access, restrict permissions on the amdgpu device node (e.g., via udev rules setting mode 0600 or group-based access control) to prevent unprivileged users from submitting ioctls; note this will block those users from GPU acceleration entirely. Container environments should verify that /dev/dri/* device access is not granted to untrusted workloads.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy