HIGH
drm DecMsg OOB
CVE-2026-46230
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg.
02KernelScan AI Analysis
Risk summary
Local attackers with GPU access can trigger out-of-bounds reads in AMD VCN3 decoder message parsing, potentially leaking kernel memory contents or causing system crashes. This affects systems with AMD GPUs where users have graphics device access.
Vulnerability analysis
The vulnerability exists in the VCN3 decoder message parsing code which processes user-provided buffer objects without adequate bounds checking. The original code failed to validate that message headers, buffer counts, and referenced buffer data fit within the allocated buffer object boundaries. The fix adds comprehensive bounds validation at multiple levels - checking minimum message sizes, validating header fields against BO limits, ensuring buffer indices fit within claimed message lengths, and verifying that all referenced buffer offsets and sizes remain within bounds. Attack surface is local through GPU device nodes, typically requiring graphics group membership.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | f55552adb100 |
| 6.1 | 6.1.175 | 82c535eff054 |
| 6.12 | 6.12.90 | 870c8738c377 |
| 6.18 | 6.18.32 | 638e48ee39d0 |
| 6.6 | 6.6.140 | 638d3e0b9eb7 |
| 7.0 | 7.0.9 | e382e0b81a3e |
| mainline | 7.1-rc1 | b193019860d6 |