Skip to main content

Linux Kernel EUVDEUVD-2026-27767

| CVE-2026-43206 HIGH
Out-of-bounds Write (CWE-787)
2026-05-06 Linux GHSA-h9w8-48v5-m9c9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:37 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()

The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation.

AnalysisAI

Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.

Technical ContextAI

This vulnerability affects the AMD Kernel Fusion Driver (amdkfd) component of the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically in systems with AMD GPUs supporting Heterogeneous System Architecture (HSA). The kfd_event_page_set() function is part of the event signaling mechanism used for GPU-CPU synchronization in compute workloads. The flaw is a classic buffer overflow where the function writes a fixed-size block (KFD_SIGNAL_EVENT_LIMIT multiplied by 8 bytes, typically used for event signal slots) via memset() without validating that the destination buffer provided by userspace is large enough. Affected CPE identifiers include cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across kernel versions from the initial git commit (1da177e4c3f4) through various stable branches. The vulnerability exists in the kernel's direct memory manipulation path accessible through ioctl interfaces, where buffer size validation is critical for memory safety. While no specific CWE is assigned, this represents CWE-787 (Out-of-bounds Write) or CWE-120 (Buffer Copy without Checking Size of Input).

RemediationAI

Immediately upgrade to patched kernel versions: 5.10.252 or later for 5.10.x series, 5.15.202+ for 5.15.x, 6.1.165+ for 6.1.x, 6.6.128+ for 6.6.x, 6.12.75+ for 6.12.x, 6.18.16+ for 6.18.x, 6.19.6+ for 6.19.x, or 7.0+ for mainline kernels. Patches are available from kernel.org stable branches at https://git.kernel.org/stable/ with specific commits listed in references. For systems unable to immediately patch, disable the amdkfd kernel module if AMD GPU compute features are not required ('echo blacklist amdkfd > /etc/modprobe.d/disable-amdkfd.conf' and reboot), noting this will prevent OpenCL/ROCm compute workloads and GPU-accelerated applications from functioning. Alternatively, restrict access to /dev/kfd device node to trusted users only via udev rules, though this provides limited protection since low-privilege users may already have legitimate access. Implement kernel address space layout randomization (KASLR) if not enabled to increase exploitation difficulty, though this does not prevent the vulnerability. Monitor systems for unusual privilege escalation attempts via audit logging of ioctl calls to DRM devices. Prioritize patching for multi-user systems with AMD GPUs, HPC clusters, GPU compute nodes, and workstations where multiple users have shell access.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy