Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local low-privilege GPU compute access required; impact is GPU subsystem crash only; no confidentiality or integrity impact applies.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Skip CSD when it has zeroed workgroups
A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2 registers. Kicking off a dispatch with a zero count in any of the three dimensions is invalid. First, the hardware will process 0 as 65536, while the user-space driver exposes a maximum of 65535. Over that, a submission with a zeroed workgroup dimension should be a no-op.
These zeroed counts can reach the dispatch path through an indirect CSD job, whose workgroup counts are only known once the indirect buffer is read and may legitimately be zero, but such scenario should only result in a no-op.
Overwrite the indirect CSD job workgroup counts with the indirect BO ones, even if they are zeroed, and don't submit the job to the hardware when any of the workgroup counts is zero, so the job completes immediately instead of running the shader.
AnalysisAI
The drm/v3d GPU driver in the Linux kernel mishandles indirect Compute Shader Dispatch (CSD) jobs that carry zeroed workgroup dimension counts, allowing a local low-privilege user with GPU compute access to crash the VideoCore VI GPU subsystem. The hardware interprets a zero workgroup count as 65536 - exceeding the user-space-exposed maximum of 65535 - instead of treating the dispatch as a no-op, causing undefined GPU behavior and a denial-of-service condition. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a Linux system running a kernel version from 5.3 through pre-patch versions of 6.18, 7.0, or 7.1; (2) hardware with a Broadcom VideoCore VI GPU (Raspberry Pi 4, Raspberry Pi 5, or compatible SoC); (3) local authenticated access with permissions to submit GPU compute jobs to the V3D DRM device node (membership in the 'render' or 'video' group, or equivalent); and (4) the ability to submit an indirect CSD dispatch - a specific GPU compute path used by OpenCL or Vulkan compute pipelines where workgroup counts are resolved from a GPU buffer at dispatch time. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects the exploit profile: local access, low complexity, low privilege, no user interaction, with Availability as the sole impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with access to the V3D DRM render device on a Raspberry Pi 4 or 5 constructs and submits an OpenCL or Vulkan compute dispatch that resolves to an indirect CSD job, where the indirect GPU buffer contains zero in one or more workgroup dimension fields. Before the patch, the driver reads these zeroed counts, writes them to hardware registers CFG0-CFG2, and kicks the dispatch; the hardware interprets 0 as 65536, causing an invalid GPU operation that hangs or crashes the VideoCore VI subsystem, producing a denial-of-service condition for all GPU users on that host. … |
| Remediation | Apply one of the vendor-released stable kernel patches: Linux 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39344
GHSA-qcxp-rj5j-4rr9