Skip to main content

Linux Kernel CVE-2026-45878

| EUVDEUVD-2026-32344 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4753-mhw2-5g7r
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:26 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

The address watch clear code receives watch_id as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watch_id.

If a very large watch_id is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watch_points array.

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before using it. Also use BIT(watch_id) to test and clear bits safely.

This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones.

Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448 kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow 'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd, 434 uint32_t watch_id) 435 { 436 int r; 437 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))

kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if watch_id is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined).

439 return -EINVAL; 440 441 if (!pdd->dev->kfd->shared_resources.enable_mes) { 442 r = debug_lock_and_unmap(pdd->dev->dqm); 443 if (r) 444 return r; 445 } 446 447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false); --> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch( 449 pdd->dev->adev, 450 watch_id);

v2: (as per, Jonathan Kim)

  • Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to

match the clear path.

  • Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().

AnalysisAI

Local privilege escalation potential in the Linux kernel's AMD KFD (Kernel Fusion Driver) debug subsystem allows a local user with GPU access to trigger a buffer overflow in the watch_points array via a crafted watch_id value. The flaw stems from signed/unsigned integer mishandling in kfd_dbg_trap_clear_dev_address_watch(), where userspace-supplied watch_id values exceeding INT_MAX cause undefined bit shifts and out-of-bounds memory access. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.02%.

Technical ContextAI

The vulnerability resides in drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c, part of the AMD Kernel Fusion Driver (amdkfd) that supports HSA/ROCm compute workloads on AMD GPUs. The debug address watch facility lets userspace debuggers monitor GPU memory accesses by setting watchpoints indexed by watch_id. The helper kfd_dbg_owns_dev_watch_id() accepted watch_id as a signed int and performed bitwise shifts (e.g., 1 << watch_id) without validating against MAX_WATCH_ADDRESSES (4), so a u32 value above INT_MAX wraps to negative, triggering undefined behavior in C shift semantics and indexing past the fixed-size pdd->watch_points[4] array. This is a classic buffer overflow / out-of-bounds write pattern (CWE-787/CWE-125 family) caused by missing input validation at the syscall boundary, originally introduced in Linux 6.5.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 (or later within each stable series) as published on git.kernel.org (e.g., https://git.kernel.org/stable/c/2b36c0c1bcbbe15f6cfa9652084b3124c835a150 and the four sibling commits). Distribution users should apply the corresponding vendor kernel updates (RHEL, Ubuntu, SUSE, Debian) once backported. If immediate patching is not possible on AMD GPU compute hosts, a compensating control is to restrict access to the KFD device node (typically /dev/kfd) so only trusted users/groups can open it - this prevents untrusted local users from invoking the vulnerable ioctl path, with the side effect of blocking unprivileged ROCm/HSA compute workloads for those users. Avoid loading the amdkfd module on systems that do not need GPU compute as an additional hardening measure, accepting the trade-off of losing AMD GPU compute functionality.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy