Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access inside a virtio-gpu VM with low privileges needed to trigger the fence error path; only availability impact from progressive memory leak.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first() which does cursor->chain = dma_fence_get(head), taking an extra reference. On normal loop completion, dma_fence_unwrap_next() releases this via dma_fence_chain_walk() -> dma_fence_put().
When virtio_gpu_do_fence_wait() fails and the function returns early from inside the loop, the cursor->chain reference is never released. This is the only caller in the entire kernel that does an early return inside dma_fence_unwrap_for_each.
Add dma_fence_put(itr.chain) before the early return.
AnalysisAI
Reference-count leak in the Linux kernel's drm/virtio GPU driver allows a local low-privilege user inside a QEMU/KVM virtual machine to gradually exhaust kernel memory, causing a guest denial of service. The bug exists in virtio_gpu_dma_fence_wait(), where an early error return from inside dma_fence_unwrap_for_each() leaves a dma_fence reference acquired by dma_fence_unwrap_first() unreleased - the only such early-return site in the entire kernel tree. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be a virtual machine with a virtio-gpu paravirtual GPU device actively assigned (QEMU/KVM configuration). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 5.5 Medium score (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) is consistent with the described behavior: local exploitation requiring low privileges, with impact limited to availability (memory exhaustion) and no confidentiality or integrity compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privilege user inside a QEMU/KVM VM with an active virtio-gpu device crafts GPU workloads designed to trigger an error return from virtio_gpu_do_fence_wait() during fence-chain iteration. Each failed call leaks one dma_fence reference; the attacker repeats this in a loop until cumulative unreleased references exhaust the guest kernel's memory, resulting in an out-of-memory condition and guest denial of service. … |
| Remediation | Update the Linux kernel to a patched stable release corresponding to the deployed branch: 7.0.13, 6.18.36, 6.12.94, or 6.6.143, or any 7.1 final release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39281
GHSA-vc55-8273-pjx9