HIGH
accel/amdxdna CommandSlot OOB
CVE-2026-23288
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with memset() before verifying the available slot space can result in an out-of-bounds write and memory corruption. Fix this by moving the memset() call after the size validation.
02KernelScan AI Analysis
Risk summary
Local attackers with access to AMD XDNA accelerator devices can trigger out-of-bounds memory writes during command processing, potentially leading to memory corruption, privilege escalation, or system crashes. This affects systems with AMD AI/ML accelerator hardware where users can submit commands to the device.
Vulnerability analysis
The vulnerability occurs in the AMD XDNA accelerator driver's command slot handling functions. The code calls memset() to clear command headers before validating that sufficient space exists in the command slot buffer. When the remaining slot space is smaller than the header size, memset() writes beyond the allocated buffer boundaries, causing heap corruption. The fix moves the memset() calls after size validation checks in four command processing functions (aie2_cmdlist_fill_npu_cf, aie2_cmdlist_fill_npu_dpu, aie2_cmdlist_fill_npu_preempt, aie2_cmdlist_fill_npu_elf). This requires local access and the ability to interact with the accelerator device, typically requiring membership in specific device groups or CAP_SYS_ADMIN privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.7 | cca770d710d5 |