Skip to main content

Linux Kernel EUVDEUVD-2026-32847

| CVE-2026-46220 MEDIUM
Reachable Assertion (CWE-617)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5vh3-fx9f-223v
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 19:05 vuln.today
CVSS changed
Jun 10, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.

Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.

The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.

(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)

AnalysisAI

Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.

Technical ContextAI

The affected component is the AMD GPU SDMA (Secure DMA) version 4 engine driver within the Linux kernel DRM/AMDGPU subsystem, present since the SDMA v4 hardware introduction (commit 2130f89c, approximately kernel 4.12). SDMA v4 is used in AMD Vega-generation and related GPUs. The vulnerability class is CWE-617 (Reachable Assertion): the ring emission callback sdma_v4_0_ring_emit_fence() uses BUG_ON(addr & 0x3) to assert that fence writeback addresses are 4-byte (dword) aligned. BUG_ON() in the Linux kernel halts execution immediately and triggers a kernel oops/panic - appropriate for invariants that can only be violated by driver bugs, but catastrophic when the assertion path is reachable from userspace-controlled input. The DRM_IOCTL_AMDGPU_CS ioctl (command submission) exposes a code path leading to this callback, meaning a crafted CS submission with a misaligned fence address bypasses the expected filtering at the ioctl boundary and reaches the fatal assertion deep in the ring emission path. The fix replaces BUG_ON with WARN_ON, logging the driver bug without crashing the kernel. CPE confirms affected products as linux:linux_kernel across multiple stable branches.

RemediationAI

Upgrade to a patched kernel version: 6.6.140 or later for the 6.6.x stable branch, 6.12.90 or later for 6.12.x, 6.18.32 or later for 6.18.x, 7.0.9 or later for 7.0.x, or 7.1-rc3 or later for mainline. Patch is available from the Linux kernel stable team via git.kernel.org (see fix commits above). The upstream cherry-pick commit is b90250bd933afd1ba94d86d6b13821997b22b18e. For systems that cannot be patched immediately, compensating controls include restricting access to the AMD GPU DRM render nodes (/dev/dri/renderD*) to trusted users only via group permissions (e.g., the 'render' or 'video' group), which prevents unprivileged users from submitting CS ioctls; trade-off is that GPU-accelerated applications for non-privileged users will break. Alternatively, if AMD GPU compute access is not required for interactive users, blocking access to the DRM device entirely via udev rules is effective. Removing untrusted local users from systems with SDMA v4 GPUs is the most conservative compensating control but has obvious operational impact. Distribution-specific kernel updates (RHEL, Ubuntu, SUSE, Debian) should be monitored for backported fixes if the above upstream versions do not match the installed kernel series.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32847 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy