Skip to main content

Linux Kernel EUVDEUVD-2026-32755

| CVE-2026-46237 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3rxv-c424-93r3
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:10 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/vcn3: Avoid overflow on msg bound check

As pointed out by SDL, the previous condition may be vulnerable to overflow.

(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)

AnalysisAI

Local privilege-escalation-adjacent denial of service and potential memory corruption in the Linux kernel's AMD GPU VCN3 (Video Core Next 3) driver allows a local low-privileged user with GPU access to trigger an integer overflow in the message bound check of the drm/amdgpu/vcn3 subsystem. The flaw was identified by AMD's SDL review and patched upstream, and per CVSS it yields high confidentiality and availability impact without integrity impact. Exploitation status: no public exploit identified at time of analysis, and EPSS is very low at 0.02%.

Technical ContextAI

The bug lives in the AMD GPU kernel driver (drivers/gpu/drm/amd/amdgpu), specifically the VCN3 (Video Core Next, third-generation hardware video codec engine used on RDNA2/Navi 2x and related GPUs). The driver validates the size/offset of messages submitted to the VCN firmware before forwarding them to the hardware ring buffer; the previous bound check used arithmetic that could wrap around on a 32-bit width, so a crafted message size could pass validation while pointing past the legitimate buffer. The CWE is not assigned in NVD data, but the tag 'Buffer Overflow' and the commit subject ('Avoid overflow on msg bound check') indicate this is a classic CWE-190 integer overflow leading to a downstream CWE-119/CWE-787 out-of-bounds access in the VCN3 message handling path. Affected source is reachable from userspace through the DRM/amdgpu ioctl interface (e.g., command submission to the VCN engine), which requires only membership in the render/video group on most distributions.

RemediationAI

Patch available per vendor advisory: update to a Linux kernel build that includes one of the fixing commits (016b64a, e6e9faba, e8124121, 1936310f, or 2e43b663 in the respective stable branches) by upgrading to your distribution's latest kernel package (Debian/Ubuntu DSA/USN, RHEL/AlmaLocky errata, SUSE SU, or Arch/Fedora rolling updates) once it ships these backports; mainline users should move to the next stable release after the cherry-pick lands. Until patched kernels are deployed, a practical compensating control is to restrict access to the DRM render nodes by removing untrusted local users from the 'render' and 'video' groups and tightening permissions on /dev/dri/renderD* (trade-off: breaks hardware-accelerated video decode and OpenCL/Vulkan compute for affected users), or to blacklist the amdgpu module on systems that do not need GPU acceleration (trade-off: loses display acceleration entirely and may break Wayland/Xorg on AMD-only hosts). On multi-tenant or container hosts, do not expose /dev/dri devices into untrusted containers until patched. Track the upstream commits via the git.kernel.org references already cited.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy