HIGH
drm/amdkfd SVM Buffer OOB
CVE-2026-46197
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: validate SVM ioctl nattr against buffer size Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)
02KernelScan AI Analysis
Risk summary
Local users with GPU access can trigger out-of-bounds kernel memory reads through malformed SVM ioctl calls. This can lead to information disclosure of kernel memory contents or system crashes. Systems running GPU compute workloads or OpenCL/ROCm applications are at risk.
Vulnerability analysis
The AMD KFD SVM ioctl handler failed to validate the user-provided nattr field against the actual buffer size, allowing attackers to specify a large attribute count that causes kernel reads beyond allocated memory. The fix adds proper validation using struct_size() to calculate expected buffer requirements and rejects requests where the buffer is too small. Attack requires local access to the /dev/kfd device file, typically available to users in graphics-related groups.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | daa8bc5f8381 |
| 6.1 | 6.1.175 | fb07a0c9c841 |
| 6.12 | 6.12.90 | ccd060b5c7cc |
| 6.18 | 6.18.32 | db9530a9873a |
| 6.6 | 6.6.140 | 91c6dc5a4169 |
| 7.0 | 7.0.9 | 6abd3a4417cb |
| mainline | 7.1-rc2 | 045e0ff208f0 |