Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (Linux) · only source for this CVE.
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid double drm_exec_fini() in userq validate
When new_addition is true, amdgpu_userq_vm_validate() calls drm_exec_fini(&exec) before iterating over the collected HMM ranges and calling amdgpu_ttm_tt_get_user_pages().
If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to unlock_all and calls drm_exec_fini(&exec) a second time on the same exec object. drm_exec_fini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context.
Route that error path directly to the range cleanup once exec has already been finalized.
Issue found using a prototype static analysis tool and confirmed by code review.
(cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)
AnalysisAI
Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Audit inventory of production Linux systems with AMD GPUs and prioritize patching. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38855
GHSA-j5vg-4jfw-25g2