HIGH
drm EventPage Overflow
CVE-2026-43206
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation.
02KernelScan AI Analysis
Risk summary
Unprivileged users with access to AMD GPU devices can trigger an out-of-bounds kernel memory write by providing an undersized buffer to the event page setup function. This can lead to privilege escalation or system crashes on systems with AMD GPUs.
Vulnerability analysis
The kfd_event_page_set() function in AMD's Kernel Fusion Driver performs a memset operation writing KFD_SIGNAL_EVENT_LIMIT * 8 bytes without validating the user-provided buffer size parameter. This allows userspace to pass a smaller buffer than expected, causing the kernel to write beyond allocated memory boundaries. The fix adds proper size validation before the memset operation, ensuring the buffer is large enough to accommodate the write. The vulnerability is locally exploitable by any user with access to AMD GPU device files, typically requiring membership in the 'video' or 'render' groups.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | 3e04bc310d80 |
| 5.15 | 5.15.202 | de8d7a25cd2e |
| 6.1 | 6.1.165 | b4034442cb09 |
| 6.12 | 6.12.75 | 75fb57efdd78 |
| 6.18 | 6.18.16 | bfcd6b53e1f4 |
| 6.19 | 6.19.6 | 4e72f419e4ed |
| 6.6 | 6.6.128 | 4857c37c7ba9 |
| mainline | 7.0 | 8a70a26c9f34 |