Skip to main content

Linux Kernel amdgpu EUVDEUVD-2026-28706

| CVE-2026-43400 MEDIUM
2026-05-08 Linux GHSA-q4g6-xq34-4jxw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 19:39 vuln.today
CVSS changed
May 21, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: add upper bound check on user inputs in signal ioctl

Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and could be exploited.

So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM.

(cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5)

AnalysisAI

Out-of-memory exploitation in the Linux kernel's amdgpu DRM subsystem allows a local, low-privileged user to crash the system by supplying unchecked huge values to the amdgpu_userq_signal_ioctl interface. The missing upper-bound validation on user inputs enables resource exhaustion that can destabilize or deny service on any Linux system equipped with a supported AMD GPU. No public exploit code exists and no active exploitation has been confirmed (no CISA KEV listing), with an EPSS of 0.02% placing this firmly in the low-priority tier for most environments outside high-assurance or shared multi-user GPU workloads.

Technical ContextAI

The vulnerability resides in the Direct Rendering Manager (DRM) subsystem of the Linux kernel, specifically within the AMDGPU driver's user queue signaling ioctl handler (amdgpu_userq_signal_ioctl). User queue management enables direct GPU scheduling from userspace, a feature designed for low-latency compute and graphics workloads. The handler accepted arbitrarily large integer values from userspace without validating them against any upper bound, allowing a caller to request allocation or iteration over an unreasonably large number of handles. The fix introduces a comparison against the AMDGPU_USERQ_MAX_HANDLES constant, which is sized to accommodate legitimate use cases while preventing runaway memory allocation. Although no CWE is formally assigned, this is functionally consistent with CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-20 (Improper Input Validation). The CPE data (cpe:2.3:a:linux:linux) reflects the upstream kernel across all affected stable branches.

RemediationAI

The primary fix is to upgrade to a patched kernel release: Linux 6.18.19, Linux 6.19.9, or Linux 7.0 or later. The upstream commits are available at https://git.kernel.org/stable/c/6fff5204d8aa26b1be50b6427f833bd3e8899c4f (6.18.x), https://git.kernel.org/stable/c/46630d966b99b0fc6cb01fef4110587f3375a0c0 (6.19.x), and https://git.kernel.org/stable/c/ea78f8c68f4f6211c557df49174c54d167821962 (mainline/7.0). For systems that cannot be patched immediately, compensating controls include restricting access to the AMD GPU device nodes (typically under /dev/dri/) using udev rules or filesystem ACLs to limit access to explicitly trusted users or groups - this prevents the ioctl from being reachable by unprivileged attackers entirely. Alternatively, blacklisting the amdgpu kernel module (blacklist amdgpu in /etc/modprobe.d/) eliminates the attack surface but also disables AMD GPU functionality completely. Neither workaround is suitable for production GPU compute nodes; patching is the recommended resolution.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy