HIGH
accel/amdxdna UBuf Overflow
CVE-2026-23280
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.7HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Prevent ubuf size overflow The ubuf size calculation may overflow, resulting in an undersized allocation and possible memory corruption. Use check_add_overflow() helpers to validate the size calculation before allocation.
02KernelScan AI Analysis
Risk summary
Local unprivileged attackers can trigger an integer overflow in the AMD XDNA accelerator driver’s buffer size calculation via a crafted DRM_IOCTL_AMDXDNA_CREATE_BO ioctl. The overflow results in an undersized kernel heap allocation, leading to an out-of-bounds write when the driver populates the page table array and possible subsequent kernel memory corruption, integrity loss, and system panic.
Vulnerability analysis
The vulnerability exists in amdxdna_get_ubuf() where the driver accumulates user-supplied buffer lengths (va_ent[i].len) into exp_info.size without overflow checking. By supplying entries with large length values, an attacker can cause the size calculation to wrap around, yielding a small total size. This undersized value is used to allocate the kernel’s internal page array (ubuf->pages). The driver then iterates over the original entries and writes page pointers beyond the allocated array bounds, resulting in a heap-based buffer overflow. The fix validates each addition using check_add_overflow() and rejects the request with -EINVAL if an overflow is detected.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.17 | 1500b31db943 |
| 6.19 | 6.19.7 | 972bf4a23478 |
| mainline | 7.0 | 03808abb1d86 |