Skip to main content

Linux Kernel EUVDEUVD-2026-32319

| CVE-2026-45853 HIGH
Out-of-bounds Write (CWE-787)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-f6wq-h8g2-9j9p
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local AMD-GPU driver path needs low-privilege local execution (AV:L/PR:L), no user interaction, and kernel memory corruption gives high C/I/A.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:30 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Use kvfree instead of kfree in amdgpu_gmc_get_nps_memranges()

amdgpu_discovery_get_nps_info() internally allocates memory for ranges using kvcalloc(), which may use vmalloc() for large allocation. Using kfree() to release vmalloc memory will lead to a memory corruption.

Use kvfree() to safely handle both kmalloc and vmalloc allocations.

Compile tested only. Issue found using a prototype static analysis tool and code review.

AnalysisAI

Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.

Technical ContextAI

The bug lives in the AMD GPU kernel-mode driver (drm/amdgpu), specifically the GMC (Graphics Memory Controller) NPS (NUMA-Per-Socket) memory-range discovery path. Linux provides kmalloc-family allocators plus kvmalloc/kvcalloc, which transparently fall back from contiguous kmalloc to non-contiguous vmalloc for large allocations; the corresponding correct free is kvfree(), which inspects the pointer and routes to either kfree() or vfree(). Here amdgpu_discovery_get_nps_info() allocates the ranges array with kvcalloc(), but the caller frees it with plain kfree(). When the allocation is large enough to have been satisfied by vmalloc, passing the vmalloc address to kfree() mishandles the slab metadata, producing the CWE-787 (Out-of-bounds Write) memory corruption captured by this CVE. The CPE data scopes this strictly to cpe:2.3:o:linux:linux_kernel, i.e. the upstream kernel image, and the fix simply swaps kfree() for kvfree().

RemediationAI

Apply the vendor (kernel.org stable) patch by upgrading to a fixed release: 6.12.75, 6.18.14, 6.19.4, or 7.0 or later, depending on your stable branch - these correspond to commits such as 0c44d61945c4..., 16e7e7ad8cdc..., 9ae85b0c1909... and f441538893eb... (Vendor-released patch: 6.12.75 / 6.18.14 / 6.19.4 / 7.0). Distribution users should install the equivalent backported kernel package from their vendor and reboot. Because the fix is a trivial kfree()→kvfree() change with no functional side effects, there is no benefit to deferring it. If immediate patching is not possible, the only meaningful compensating control is to restrict local access - limit who can run code on affected hosts and tighten access to systems with AMD GPUs - since exploitation requires local low-privileged execution; there is no feature flag or runtime toggle to disable this specific allocation path without removing the amdgpu driver entirely, which would disable AMD graphics. Reference the stable commits at https://git.kernel.org/stable/c/0c44d61945c4a80775292d96460aa2f22e62f86c.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy