Skip to main content

Linux Kernel drm/v3d EUVDEUVD-2026-39344

| CVE-2026-53139 MEDIUM
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qcxp-rj5j-4rr9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege GPU compute access required; impact is GPU subsystem crash only; no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 15:08 vuln.today
CVSS changed
Jul 06, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Skip CSD when it has zeroed workgroups

A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2 registers. Kicking off a dispatch with a zero count in any of the three dimensions is invalid. First, the hardware will process 0 as 65536, while the user-space driver exposes a maximum of 65535. Over that, a submission with a zeroed workgroup dimension should be a no-op.

These zeroed counts can reach the dispatch path through an indirect CSD job, whose workgroup counts are only known once the indirect buffer is read and may legitimately be zero, but such scenario should only result in a no-op.

Overwrite the indirect CSD job workgroup counts with the indirect BO ones, even if they are zeroed, and don't submit the job to the hardware when any of the workgroup counts is zero, so the job completes immediately instead of running the shader.

AnalysisAI

The drm/v3d GPU driver in the Linux kernel mishandles indirect Compute Shader Dispatch (CSD) jobs that carry zeroed workgroup dimension counts, allowing a local low-privilege user with GPU compute access to crash the VideoCore VI GPU subsystem. The hardware interprets a zero workgroup count as 65536 - exceeding the user-space-exposed maximum of 65535 - instead of treating the dispatch as a no-op, causing undefined GPU behavior and a denial-of-service condition. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local shell on VideoCore VI host
Delivery
Access DRM V3D render device node (/dev/dri/renderD*)
Exploit
Submit indirect CSD compute job via Vulkan or OpenCL API
Install
Driver reads zeroed workgroup counts from indirect GPU buffer
C2
Driver forwards zero counts to CFG0-CFG2 hardware registers
Execute
Hardware wraps 0 to 65536 triggering invalid dispatch
Impact
GPU subsystem crash / denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) a Linux system running a kernel version from 5.3 through pre-patch versions of 6.18, 7.0, or 7.1; (2) hardware with a Broadcom VideoCore VI GPU (Raspberry Pi 4, Raspberry Pi 5, or compatible SoC); (3) local authenticated access with permissions to submit GPU compute jobs to the V3D DRM device node (membership in the 'render' or 'video' group, or equivalent); and (4) the ability to submit an indirect CSD dispatch - a specific GPU compute path used by OpenCL or Vulkan compute pipelines where workgroup counts are resolved from a GPU buffer at dispatch time. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects the exploit profile: local access, low complexity, low privilege, no user interaction, with Availability as the sole impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with access to the V3D DRM render device on a Raspberry Pi 4 or 5 constructs and submits an OpenCL or Vulkan compute dispatch that resolves to an indirect CSD job, where the indirect GPU buffer contains zero in one or more workgroup dimension fields. Before the patch, the driver reads these zeroed counts, writes them to hardware registers CFG0-CFG2, and kicks the dispatch; the hardware interprets 0 as 65536, causing an invalid GPU operation that hangs or crashes the VideoCore VI subsystem, producing a denial-of-service condition for all GPU users on that host. …
Remediation Apply one of the vendor-released stable kernel patches: Linux 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy