HIGH
drm/amdgpu DecMsg OOB
CVE-2026-46199
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg.
02KernelScan AI Analysis
Risk summary
Local users with graphics device access can trigger out-of-bounds reads in AMD GPU VCN4 decoder message parsing, potentially leaking limited kernel memory and causing system crashes. This affects systems with AMD GPUs that have VCN4 video decode capabilities.
Vulnerability analysis
The vulnerability exists in the VCN4 decoder message parsing function which failed to validate buffer boundaries when accessing message fields and buffer descriptors. Attackers could craft malformed decoder messages with invalid lengths or buffer counts to read beyond allocated memory. Because the attacker-controlled num_buffers value is unbounded, the out-of-bounds read can span a large region, leaking adjacent slab data before eventually hitting unmapped pages and causing a kernel panic. The fix adds comprehensive bounds checking at multiple points: minimum message size validation, header boundary checks, buffer count validation against message length, and individual buffer boundary verification.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | 88411caee8f5 |
| 6.12 | 6.12.90 | 7688143ca62e |
| 6.18 | 6.18.32 | 63b51e8a9d54 |
| 6.6 | 6.6.140 | c72a8b4dc6d5 |
| 7.0 | 7.0.9 | 3c817a60b09e |
| mainline | 7.1-rc1 | 0a78f2bac142 |