Skip to main content

Linux Kernel EUVDEUVD-2026-32845

| CVE-2026-46218 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qmfv-4x39-7vh3
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:08 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Add bounds checking to ib_{get,set}_value

The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.

Also make the idx a uint32_t to prevent overflows causing the condition to fail.

AnalysisAI

Out-of-bounds memory access in the Linux kernel's amdgpu (AMD GPU) driver allows local users with low privileges to trigger denial of service or read sensitive kernel memory by interacting with the uvd/vce/vcn IB (indirect buffer) handling paths. The flaw stems from missing bounds checks in ib_get_value and ib_set_value when accessing the IB at predefined offsets, compounded by a signed-integer index that could overflow. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Technical ContextAI

The vulnerability resides in the AMD GPU (amdgpu) DRM driver in the Linux kernel, specifically in the helper routines ib_get_value() and ib_set_value() used by the UVD (Unified Video Decoder), VCE (Video Coding Engine), and VCN (Video Core Next) submodules responsible for hardware-accelerated video decode/encode. These helpers read and write fields inside an Indirect Buffer (IB) - a userspace-supplied command buffer submitted to the GPU - at hardcoded offsets without validating that the IB is large enough to contain those offsets. Additionally, the index variable was a signed int, allowing arithmetic overflow that could bypass any size check. The root cause class aligns with CWE-125/CWE-787 (out-of-bounds read/write), although no CWE was assigned in the source data.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc1 (or later) depending on which stable branch you track; the upstream stable commits are available at https://git.kernel.org/stable/c/0fb5cb556b249b2b64c0f818136c4c3e838ef53f and the four sibling commits listed in references. Distribution users should apply the next kernel update from their vendor (RHEL, Ubuntu, SUSE, Debian) once it ships these stable backports. As a compensating control until patching, restrict access to GPU device nodes by removing untrusted users from the 'video' and 'render' groups and tightening permissions on /dev/dri/renderD* and /dev/dri/card*, accepting the trade-off that affected users lose hardware-accelerated video decode/encode and GPU compute access; on systems that do not require AMD GPU acceleration, blacklisting the amdgpu module entirely eliminates exposure but disables the GPU. Containerized environments should ensure GPU device passthrough is not exposed to untrusted workloads.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy