{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23338", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.997Z", "datePublished": "2026-03-25T10:27:27.377Z", "dateUpdated": "2026-03-25T10:27:27.377Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:27.377Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings\n\nUserspace can either deliberately pass in the too small num_fences, or the\nrequired number can legitimately grow between the two calls to the userq\nwait ioctl. In both cases we do not want the emit the kernel warning\nbacktrace since nothing is wrong with the kernel and userspace will simply\nget an errno reported back. So lets simply drop the WARN_ONs.\n\n(cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"], "versions": [{"version": "a292fdecd72834b3bec380baa5db1e69e7f70679", "lessThan": "1753f5f81ab60a553287f9ee659a6ac363adf8d7", "status": "affected", "versionType": "git"}, {"version": "a292fdecd72834b3bec380baa5db1e69e7f70679", "lessThan": "7321302edca3a349ddaea689df95b986beee6c4a", "status": "affected", "versionType": "git"}, {"version": "a292fdecd72834b3bec380baa5db1e69e7f70679", "lessThan": "7b7d7693a55d606d700beb9549c9f7f0e5d9c24f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1753f5f81ab60a553287f9ee659a6ac363adf8d7"}, {"url": "https://git.kernel.org/stable/c/7321302edca3a349ddaea689df95b986beee6c4a"}, {"url": "https://git.kernel.org/stable/c/7b7d7693a55d606d700beb9549c9f7f0e5d9c24f"}], "title": "drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings\n\nUserspace can either deliberately pass in the too small num_fences, or the\nrequired number can legitimately grow between the two calls to the userq\nwait ioctl. In both cases we do not want the emit the kernel warning\nbacktrace since nothing is wrong with the kernel and userspace will simply\nget an errno reported back. So lets simply drop the WARN_ONs.\n\n(cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)"}], "id": "CVE-2026-23338", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:31.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1753f5f81ab60a553287f9ee659a6ac363adf8d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7321302edca3a349ddaea689df95b986beee6c4a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7b7d7693a55d606d700beb9549c9f7f0e5d9c24f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings", "id": "2451231", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451231"}, "csaw": false, "cwe": "CWE-1284", "details": ["A flaw was found in the Linux kernel, specifically within the `drm/amdgpu/userq` component. This vulnerability allows a local user to intentionally or unintentionally trigger kernel warnings. This occurs when the user provides an incorrect number of fences during a `userq wait ioctl` operation. While this does not compromise the kernel's integrity, it can lead to unnecessary system diagnostic messages."], "name": "CVE-2026-23338", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23338\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23338\nhttps://lore.kernel.org/linux-cve-announce/2026032534-CVE-2026-23338-67c7@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-03-25T11:39:55.983493+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to the latest stable release that contains the AMDGPU driver commit which removes the WARN_ON statements.", "Confirm that the installed kernel version reflects the patch by checking the kernel release notes or git commit list.", "If an update is not possible, ensure that no applications trigger the user queue wait ioctl with insufficient fences or monitor kernel logs for unexpected WARN_ON messages."], "summary": {"action": "Patch Kernel", "impact": "Trivial kernel warning suppression"}, "threat_synthesis": {"affected_systems": "The issue affects all Linux kernel releases that include the upstream AMDGPU driver until the commit that removes WARN_ON in user queue handling is applied. This covers any distribution that ships the stock kernel with the amdgpu module, regardless of specific vendor or minor version.", "description_and_impact": "A flaw in the Linux kernel\u2019s AMDGPU driver allowed userspace to trigger kernel warning messages by invoking the user queue wait ioctl with an insufficient number of fences or by timing a race in the required fence count between two calls. These warnings were harmless and did not indicate a kernel fault; the vulnerability was mitigated by dropping the warning triggers rather than rejecting the request, so no corruption or data leakage occurs.", "risk_and_exploitability": "The vulnerability does not provide any exploitable path; it merely produces benign warnings that could clutter logs. No CVSS score is assigned and the EPSS score is unavailable, and the vulnerability is absent from CISA\u2019s KEV catalog. The attack vector is userspace, and because the flaw has been patched by eliminating the warning triggers, the risk is effectively zero for systems that have applied the update."}}}}, "created": "2026-03-25T21:32:15.951839+00:00", "updated": "2026-03-25T21:32:15.951864+00:00", "vendors": [], "weaknesses": ["CWE-397", "CWE-668"]}