Skip to main content

Linux Kernel CVE-2026-46197

| EUVDEUVD-2026-32824 HIGH
Out-of-bounds Write (CWE-787)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-38pr-68p2-9hqw
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:04 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: validate SVM ioctl nattr against buffer size

Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.

(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)

AnalysisAI

Local privilege escalation via out-of-bounds buffer access in the Linux kernel's AMD KFD (Kernel Fusion Driver) SVM ioctl interface allows authenticated local users to corrupt kernel memory by supplying an attacker-controlled nattr attribute count that exceeds the buffer size. The flaw affects systems running AMD GPUs with the amdkfd driver and has been resolved upstream across multiple stable branches. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the high CIA impact warrants prompt patching on AMD GPU compute workstations and HPC nodes.

Technical ContextAI

The vulnerability resides in drm/amdkfd, the AMD Kernel Fusion Driver that exposes GPU compute (HSA/ROCm) capabilities to userspace via ioctl interfaces. The Shared Virtual Memory (SVM) ioctl accepts an 'nattr' field describing how many attributes the caller is supplying, and prior to the fix the kernel did not validate this count against the actual buffer size, enabling out-of-bounds reads/writes during attribute processing. This is a classic missing input validation / improper bounds check pattern (analogous to CWE-120/CWE-129), where a user-controlled length is trusted without sanitization. The upstream fix (commit 5eca8bfdfa45) adds an explicit size validation before iterating the attribute array.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc2 (or later) depending on the stable branch in use, applying the cherry-picked fix from upstream commit 5eca8bfdfa456c3304ca77523718fe24254c172f available at https://git.kernel.org/stable/c/045e0ff208f0838a246c10204105126611b267a1 and the companion commits 6abd3a4417cb, 91c6dc5a4169, ccd060b5c7cc, and db9530a9873a. Distribution kernels should pick up the fix through normal vendor channels (RHEL, SUSE, Ubuntu, Debian) - track each distro's CVE tracker. As a compensating control until patching, restrict access to /dev/kfd via udev rules or group permissions so that only trusted users can issue KFD ioctls (trade-off: blocks unprivileged ROCm/HSA workloads), or unload/blacklist the amdkfd module on systems that do not require AMD GPU compute (trade-off: disables GPU compute entirely while leaving display functionality via amdgpu intact).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy