Skip to main content

Linux Kernel CVE-2026-53144

| EUVDEUVD-2026-39235 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6wmm-rq3j-5c47
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local /dev/kfd device access required (AV:L), ioctl trivially crafted (AC:L/PR:L), impact is pure kernel panic with no data exposure (A:H/C:N/I:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 16:38 vuln.today
CVSS changed
Jul 07, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: fix NULL dereference in get_queue_ids()

When usr_queue_id_array is NULL and num_queues is non-zero, get_queue_ids() returns NULL. The callers check only IS_ERR() on the return value; since IS_ERR(NULL) == false the check passes, and suspend_queues() calls q_array_invalidate() which immediately dereferences NULL while iterating num_queues times.

Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying num_queues > 0 with a zero queue_array_ptr, causing a kernel panic.

A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op (q_array_invalidate never executes, and resume_queues already guards all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL) only when num_queues is non-zero and the pointer is absent; both callers already propagate IS_ERR() returns correctly to userspace.

(cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)

AnalysisAI

NULL pointer dereference in the Linux kernel's drm/amdkfd subsystem allows a local low-privileged user to trigger a kernel panic by invoking the kfd_ioctl_set_debug_trap() ioctl with a non-zero num_queues value and a NULL queue_array_ptr. The root flaw is that get_queue_ids() returns NULL in this case rather than ERR_PTR(-EINVAL), and both callers check only IS_ERR() - since IS_ERR(NULL) evaluates false, execution proceeds to q_array_invalidate(), which immediately dereferences the NULL pointer while iterating, crashing the kernel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local session on AMD GPU system
Delivery
Access /dev/kfd device node
Exploit
Issue KFD_IOC_SET_DEBUG_TRAP ioctl with num_queues > 0 and NULL queue_array_ptr
Execution
get_queue_ids() returns NULL unchecked by IS_ERR()
Persist
q_array_invalidate() dereferences NULL pointer
Impact
Kernel panic forces system reboot

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target system must have AMD GPU hardware installed and the amdkfd kernel module loaded - systems without AMD GPUs are completely unaffected; (2) the attacker must have read-write access to /dev/kfd, which on most Linux distributions is granted to users in the 'render' or 'video' group, or to users running AMD GPU compute workloads; (3) the attacker must be able to invoke the KFD_IOC_SET_DEBUG_TRAP ioctl. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.5 base score with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects a local, low-complexity denial-of-service vulnerability with no data exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on an AMD GPU-equipped Linux system - such as a shared HPC node or GPU compute server - opens /dev/kfd and issues the KFD_IOC_SET_DEBUG_TRAP ioctl with the num_queues field set to any non-zero value while setting queue_array_ptr to zero (NULL). The kernel's get_queue_ids() returns NULL, the IS_ERR() check in the caller passes silently, and the subsequent q_array_invalidate() loop immediately dereferences the NULL pointer on its first iteration, producing an unrecoverable kernel oops or panic and forcing a system reboot. …
Remediation The primary remediation is to upgrade the Linux kernel to a version containing the backported fix: 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 stable, as published at https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy