Skip to main content

Linux Kernel EUVDEUVD-2026-25459

| CVE-2026-31566 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-j5m6-wgmm-m7m9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:32 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:30 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25459
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:35 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib

amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence from amdgpu_ib_schedule(). This fence is used to wait for job completion.

Currently, the code drops the fence reference using dma_fence_put() before calling dma_fence_wait().

If dma_fence_put() releases the last reference, the fence may be freed before dma_fence_wait() is called. This can lead to a use-after-free.

Fix this by waiting on the fence first and releasing the reference only after dma_fence_wait() completes.

Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)

(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)

AnalysisAI

Use-after-free in Linux kernel AMD GPU driver allows local authenticated users to potentially execute arbitrary code, escalate privileges, or cause denial of service. The amdgpu_amdkfd_submit_ib() function in the AMD KFD (Kernel Fusion Driver) prematurely releases a DMA fence reference before waiting on it, creating a race condition where the fence memory may be freed before use. Vendor-released patches are available for multiple stable kernel branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is very low at 0.02% (7th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability affects the AMD GPU kernel driver's DMA (Direct Memory Access) fence management in the amdkfd (AMD Kernel Fusion Driver) component. DMA fences are synchronization primitives used to track GPU job completion in the Direct Rendering Manager (DRM) subsystem. The vulnerable code path occurs in amdgpu_amdkfd_submit_ib() when submitting Indirect Buffers to the GPU. The function obtains a fence object from amdgpu_ib_schedule() with an initial reference count, then calls dma_fence_put() (decrementing the reference) before dma_fence_wait() (blocking until fence signals). If the put operation releases the last reference, the fence structure is freed from memory while the pointer is still held. The subsequent dma_fence_wait() then dereferences freed memory, constituting a classic use-after-free condition. This represents a temporal memory safety violation where object lifetime management is incorrectly ordered. The affected code path is specific to AMD GPU hardware when processing compute workloads through the KFD interface, which provides GPU access to HSA (Heterogeneous System Architecture) applications. The vulnerability was introduced in commit 9ae55f030dc523fc4dc6069557e4a887ea815453 and fixed across multiple stable kernel branches.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.168 or later for the 6.1.x series, 6.6.131 or later for 6.6.x, 6.12.80 or later for 6.12.x, 6.18.21 or later for 6.18.x, 6.19.11 or later for 6.19.x, or 7.0 or later for the 7.x series. Upstream fixes are available in kernel.org stable repository commits bc7760c107dc, e23602eb0779, 138e42be35ff, 39820864eacd, 42d248726a08, and 7150850146eb. For systems that cannot immediately patch, a compensating control is to blacklist or prevent loading of the amdgpu kernel module (add 'blacklist amdgpu' to /etc/modprobe.d/blacklist.conf), though this disables AMD GPU functionality entirely and renders GPU-dependent workloads inoperable. Alternatively, restrict access to /dev/kfd device node to only trusted users via udev rules, limiting who can submit GPU compute jobs through the KFD interface, though this may break legitimate HSA/ROCm applications. Full advisory details are available at https://nvd.nist.gov/vuln/detail/CVE-2026-31566 and kernel.org stable Git repository. No workarounds provide complete protection without functional trade-offs.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy