Skip to main content

Linux Kernel CVE-2026-53143

| EUVDEUVD-2026-39234 HIGH
Incorrect Calculation of Buffer Size (CWE-131)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-c92m-wmf9-qxfw
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local GPU-capable user (AV:L/PR:L), no interaction (UI:N); OOB read leaks kernel GTT memory and OOB write corrupts it, giving high C/I/A.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 08, 2026 - 15:00 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 15:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 14:52 vuln.today
cvss_changed
CVSS changed
Jul 08, 2026 - 14:52 NVD
7.0 (HIGH) 7.8 (HIGH)
Analysis Generated
Jun 30, 2026 - 05:30 vuln.today
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.0 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.0
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

The v11 MQD manager incorrectly assigned the CP-compute variants of checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.

During CRIU checkpoint of an SDMA queue on Navi3x:

  • checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,

leaking 1536 bytes of adjacent GTT memory to userspace

During CRIU restore:

  • restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,

corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs)

This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.

Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly handle the smaller v11_sdma_mqd structure, matching the pattern used in other MQD managers.

(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)

AnalysisAI

Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged shell on Navi3x host
Delivery
Launch GPU compute process creating SDMA queue
Exploit
Invoke CRIU checkpoint/restore on the queue
Execution
Trigger oversized copy against 512-byte MQD
Persist
Read adjacent GTT memory or corrupt neighboring buffers
Impact
Leak kernel data or cause DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a host with an AMD GFX11/Navi3x (RDNA3) GPU and the ability to run a GPU compute workload that creates a KFD_MQD_TYPE_SDMA queue, then to trigger a CRIU checkpoint (for the 1536-byte GTT memory-disclosure read) or a CRIU restore of an attacker-influenced image (for the 1536-byte GTT out-of-bounds write). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine memory-safety bug but a modest real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user on a workstation or GPU node fitted with a Navi3x/RDNA3 card starts a compute process that creates an SDMA queue, then invokes a CRIU checkpoint; the driver reads 2048 bytes from the 512-byte MQD and returns 1536 bytes of adjacent GTT memory into the userspace checkpoint image, disclosing kernel-managed data. Conversely, crafting a CRIU restore image causes restore_mqd() to write 2048 bytes into the 512-byte buffer, corrupting neighboring ring buffers or MQDs for a denial of service or potential further manipulation. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.6.143, 6.12.94, 7.0.13, or 6.18.36 (or 7.1 mainline), whichever matches your branch - which adds dedicated checkpoint_mqd_sdma() and restore_mqd_sdma() functions that use the correct 512-byte v11_sdma_mqd size. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems running GFX11/Navi3x AMD GPUs with Linux kernel. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Share

CVE-2026-53143 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy