Skip to main content

Linux Kernel CVE-2026-46311

| EUVDEUVD-2026-35121 HIGH
2026-06-08 Linux GHSA-9995-3vvw-2xwp
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local DRM device access required (AV:L, PR:L); winning a kernel race raises AC:H; successful exploitation yields full kernel memory corruption with high C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:30 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.8 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:50 cve.org
HIGH 7.8
CVE Published
Jun 08, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/userq: fix access to stale wptr mapping

Use drm_exec to take both locks i.e vm root bo and wptr_obj bo to access the mapping data properly.

This fixes the security issue of unmap the wptr_obj while a queue creation is in progress and passing other bo at same address.

(cherry picked from commit 1fc6c8ab45dbee096469c08c13f6099d57a52d6c)

AnalysisAI

Local privilege escalation in the Linux kernel's AMD GPU userqueue (drm/amdgpu/userq) driver allows a low-privileged local user to exploit a race condition between queue creation and wptr_obj unmapping, resulting in access to stale wptr mappings and potential substitution of a buffer object at the same address. The flaw affects AMD GPU userqueue handling and could enable memory corruption with high impact to confidentiality, integrity, and availability. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Technical ContextAI

The vulnerability resides in the AMD GPU DRM (Direct Rendering Manager) subsystem, specifically the userqueue implementation (drm/amdgpu/userq) which allows userspace to submit GPU work directly without kernel mediation per submission. The root cause is a Time-of-Check-to-Time-of-Use (TOCTOU)/race condition: the kernel did not hold both the VM root buffer object (bo) lock and the wptr_obj bo lock simultaneously when accessing wptr mapping data during queue creation. This permitted a concurrent unmap of wptr_obj followed by remapping a different buffer object at the same virtual address, leaving the in-flight queue creation operating on stale or attacker-controlled memory. The fix introduces drm_exec to atomically acquire both locks. Affected CPE strings reference cpe:2.3:a:linux:linux generically; the specific subsystem is the amdgpu kernel driver shipped with mainline Linux.

RemediationAI

Vendor-released patch: Linux 7.1-rc3 (mainline) and 7.0.9 (stable) - upgrade to these or any later kernel that includes commits 336a9186f3a4b65bbd865d93936605ac8a1a3991 and 6da7b1242da4455b11c24ce667d1cab1a348c8ea. Distribution users should apply the corresponding backported kernel update from their vendor (Red Hat, SUSE, Debian, Ubuntu, etc.) as it becomes available. If immediate patching is not possible, compensating controls include restricting access to AMD GPU device nodes (/dev/dri/renderD* and /dev/dri/card*) to trusted users via group permissions or udev rules - trade-off: this breaks unprivileged GPU compute and hardware-accelerated rendering for affected users; alternatively, blocklist the amdgpu module on systems that do not require AMD GPU functionality (trade-off: disables all AMD GPU acceleration including display). For multi-tenant or container hosts, avoid passing AMD GPU devices into untrusted workloads until patched. Patch URLs: https://git.kernel.org/stable/c/336a9186f3a4b65bbd865d93936605ac8a1a3991 and https://git.kernel.org/stable/c/6da7b1242da4455b11c24ce667d1cab1a348c8ea.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46311 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy