CVE-2026-43237

{"id": "CVE-2026-43237", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-05-06T12:16:43.960", "references": [{"url": "https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4\n\nThis commit simplifies the amdgpu_gem_va_ioctl function, key updates\ninclude:\n - Moved the logic for managing the last update fence directly into\n amdgpu_gem_va_update_vm.\n - Introduced checks for the timeline point to enable conditional\n replacement or addition of fences.\n\nv2: Addressed review comments from Christian.\nv3: Updated comments (Christian).\nv4: The previous version selected the fence too early and did not manage its\n reference correctly, which could lead to stale or freed fences being used.\n This resulted in refcount underflows and could crash when updating GPU\n timelines.\n The fence is now chosen only after the VA mapping work is completed, and its\n reference is taken safely. After exporting it to the VM timeline syncobj, the\n driver always drops its local fence reference, ensuring balanced refcounting\n and avoiding use-after-free on dma_fence.\n\n\tCrash signature:\n\t[ 205.828135] refcount_t: underflow; use-after-free.\n\t[ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\t...\n\t[ 206.074014] Call Trace:\n\t[ 206.076488] <TASK>\n\t[ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu]\n\t[ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm]\n\t[ 206.094415] drm_ioctl+0x26e/0x520 [drm]\n\t[ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu]\n\t[ 206.109387] __x64_sys_ioctl+0x96/0xe0\n\t[ 206.113156] do_syscall_64+0x66/0x2d0\n\t...\n\t[ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90\n\t...\n\t[ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.553405] Call Trace:\n\t[ 206.553409] <IRQ>\n\t[ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched]\n\t[ 206.553424] dma_fence_signal+0x30/0x60\n\t[ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched]\n\t[ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0\n\t[ 206.553437] dma_fence_signal+0x30/0x60\n\t[ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu]\n\t[ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu]\n\t[ 206.554353] edac_mce_amd(E) ee1004(E)\n\t[ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu]\n\t[ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu]\n\t[ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu]\n\t[ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0\n\t[ 206.555506] handle_irq_event+0x38/0x80\n\t[ 206.555509] handle_edge_irq+0x92/0x1e0\n\t[ 206.555513] __common_interrupt+0x3e/0xb0\n\t[ 206.555519] common_interrupt+0x80/0xa0\n\t[ 206.555525] </IRQ>\n\t[ 206.555527] <TASK>\n\t...\n\t[ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt"}], "lastModified": "2026-05-12T18:55:52.373", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4562EDA-AFEA-4C62-97CC-C83E109A5F19", "versionEndExcluding": "6.18.16", "versionStartIncluding": "6.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67", "versionEndExcluding": "6.19.6", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}