Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local GPU device access required (AV:L, PR:L); memory leak yields availability impact only - no data disclosure or modification path exists.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups
v3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect buffer and the workgroup buffer and is expected to release them before returning. When any of the workgroup counts read from the buffer is zero, the function bailed out early and skipped the cleanup, leaking the vaddr mappings of both BOs.
Jump to the cleanup path instead of returning directly, so the mappings are always dropped.
AnalysisAI
Memory exhaustion via vaddr leak in the Linux kernel's V3D DRM driver allows a local low-privileged user to degrade or deny service on systems equipped with Broadcom V3D GPUs. The function v3d_rewrite_csd_job_wg_counts_from_indirect() maps two buffer objects (indirect buffer and workgroup buffer) but takes an early return path - without releasing the vaddr mappings - whenever any workgroup count read from the indirect buffer is zero, permanently leaking both BO mappings per triggering job submission. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have local access to the target system and at minimum low-privilege access to the V3D GPU device node (e.g., membership in the render or video group granting open access to /dev/dri/renderD*). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.5 Medium score with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is technically well-calibrated: local access, low-privilege GPU device access, and an availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with render group membership on a Raspberry Pi 4/5 running an affected kernel submits a series of crafted indirect Compute Shader Dispatch jobs where the indirect buffer encodes a zero in any workgroup count field. Each submission causes the kernel to map and then permanently leak two BO vaddr mappings. … |
| Remediation | The primary fix is to upgrade to a patched Linux kernel version: 6.12.94, 6.18.36, 7.0.13, or 7.1 (mainline). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39231
GHSA-mrv3-46fp-r6hh