HIGH
drm/amdgpu VCN4 OOB
CVE-2026-46204
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.
02KernelScan AI Analysis
Risk summary
Systems with AMD GPUs using VCN4 hardware are vulnerable to kernel memory disclosure and potential crashes. Attackers with GPU access privileges can submit malformed indirect buffers to trigger out-of-bounds reads, potentially leaking slab/page data or causing kernel panic when accessing unmapped pages.
Vulnerability analysis
The vulnerability exists in the VCN4 indirect buffer parsing code where direct array access without bounds checking allows reading beyond allocated memory. The original code used ib->ptr[i] directly without validation; the fix replaces this with amdgpu_ib_get_value() which performs bounds checks. This affects the GPU command submission path, requiring local access and GPU privileges (typically render/video group) to exploit. The OOB read can leak adjacent heap/slab memory (C:Low minimum) and will hit unmapped pages causing kernel panic (A:High).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.90 | d0802a8877d7 |
| 6.18 | 6.18.32 | a6d5563ba1f0 |
| 6.6 | 6.6.140 | 1dc005775fb5 |
| 7.0 | 7.0.9 | 5c3e8ebad0c9 |
| mainline | 7.1-rc1 | 2444eb0ec828 |