CVE-2026-23338 - Vulnerability Details

- drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings

Userspace can either deliberately pass in the too small num_fences, or the
required number can legitimately grow between the two calls to the userq
wait ioctl. In both cases we do not want the emit the kernel warning
backtrace since nothing is wrong with the kernel and userspace will simply
get an errno reported back. So lets simply drop the WARN_ONs.

(cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability enables a userspace application to intentionally trigger kernel warning backtraces through the amdgpu user queue wait ioctl by supplying a num_fences value that is too small or allowing the required count to grow between calls. The kernel’s WARN_ON statements would emit a backtrace, after which userspace receives an errno. The fix removes the WARN_ONs so no warning is emitted, only an error code is returned.

Affected Systems

Systems running the Linux kernel with an amdgpu driver that precedes the commit removing the WARN_ONs are potentially affected. The specific kernel releases are not listed, so any kernel before the applied change should be examined.

Risk and Exploitability

The EPSS score is below 1 %, and the vulnerability is not in the CISA KEV catalog. Exploitation requires local userspace access to the amdgpu driver and only leads to kernel warning messages, not arbitrary code execution or denial of service. Updating to a patched kernel removes the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a292fdecd72834b3bec380baa5db1e69e7f70679`	affected	< 1753f5f81ab60a553287f9ee659a6ac363adf8d7
`a292fdecd72834b3bec380baa5db1e69e7f70679`	affected	< 7321302edca3a349ddaea689df95b986beee6c4a
`a292fdecd72834b3bec380baa5db1e69e7f70679`	affected	< 7b7d7693a55d606d700beb9549c9f7f0e5d9c24f

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.16:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a292fdecd72834b3bec380baa5db1e69e7f70679,1753f5f81ab60a553287f9ee659a6ac363adf8d7)`	affected	code_commit	—
`[a292fdecd72834b3bec380baa5db1e69e7f70679,7321302edca3a349ddaea689df95b986beee6c4a)`	affected	code_commit	—
`[a292fdecd72834b3bec380baa5db1e69e7f70679,7b7d7693a55d606d700beb9549c9f7f0e5d9c24f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the amdgpu user queue warning mitigation commit.
Verify the running kernel version with uname -r.
Monitor system logs for amdgpu warning messages if an immediate update is not possible.

Generated by OpenCVE AI on March 26, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1753f5f81ab60a553287f9ee659a6ac363adf8d7
https://git.kernel.org/stable/c/7321302edca3a349ddaea689df95b986beee6c4a
https://git.kernel.org/stable/c/7b7d7693a55d606d700beb9549c9f7f0e5d9c24f
https://lore.kernel.org/linux-cve-announce/2026032534-CVE-2026-23338-67c7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23338
https://www.cve.org/CVERecord?id=CVE-2026-23338

History

Thu, 23 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:6.16:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-397 CWE-668

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1284
References		https://lore.kernel.org/linux-cve-announce/2026032534-CVE-2026-23338-67c7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23338 https://www.cve.org/CVERecord?id=CVE-2026-23338

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-397 CWE-668

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings Userspace can either deliberately pass in the too small num_fences, or the required number can legitimately grow between the two calls to the userq wait ioctl. In both cases we do not want the emit the kernel warning backtrace since nothing is wrong with the kernel and userspace will simply get an errno reported back. So lets simply drop the WARN_ONs. (cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)
Title		drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1753f5f81ab60a553287f9ee659a6ac363adf8d7 https://git.kernel.org/stable/c/7321302edca3a349ddaea689df95b986beee6c4a https://git.kernel.org/stable/c/7b7d7693a55d606d700beb9549c9f7f0e5d9c24f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:27.377Z

Updated: 2026-04-13T06:05:20.076Z

Reserved: 2026-01-13T15:37:45.997Z

Link: CVE-2026-23338

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-25T11:16:31.537

Modified: 2026-04-23T21:17:25.680

Link: CVE-2026-23338

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23338 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:49:35Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object