Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Limit BO list entry count to prevent resource exhaustion

Userspace can pass an arbitrary number of BO list entries via the
bo_number field. Although the previous multiplication overflow check
prevents out-of-bounds allocation, a large number of entries could still
cause excessive memory allocation (up to potentially gigabytes) and
unnecessarily long list processing times.

Introduce a hard limit of 128k entries per BO list, which is more than
sufficient for any realistic use case (e.g., a single list containing all
buffers in a large scene). This prevents memory exhaustion attacks and
ensures predictable performance.

Return -EINVAL if the requested entry count exceeds the limit

(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)
Published: 2026-04-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s AMDGPU driver, userspace can provide an arbitrarily large number of buffer object (BO) list entries through the bo_number field. The earlier overflow check prevented out‑of‑bounds allocation, but it did not constrain the total number of entries requested. A very large request can therefore cause the driver to allocate an excessive amount of memory—potentially many gigabytes—and to traverse a long list, which can exhaust system resources and degrade performance. The fix introduces a hard limit of 128,000 entries per BO list and returns an error when the requested count exceeds this threshold, preventing the excessive allocation.

Affected Systems

This issue is present in the AMDGPU component of the Linux kernel before the commit that enforces the 128,000 entry limit. All kernel builds that compiled the affected driver without applying the patch are potentially vulnerable. The known affected kernel versions are those represented by the CPE strings – Linux kernel 7.0 RC1 through RC4 and all other releases compiled with the unpatched driver.

Risk and Exploitability

The vulnerability requires a process that can interact with the AMDGPU driver, typically a user‑space application with DRM access or a privileged user. Because exploitation involves kernel‑mode memory allocation, it is likely limited to local or privileged users, reducing the chance of remote attacks. The CVSS score of 5.5, an EPSS score of < 1 %, and absence from the CISA KEV catalog all indicate a moderate exploitation risk, but the potential for a denial‑of‑service attack by exhausting system memory remains significant.

Generated by OpenCVE AI on May 26, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the patch limiting BO list entry counts
  • Make sure the system restarts after the kernel upgrade to activate the updated driver
  • Modify udev rules or set file permissions on /dev/dri/* to restrict write access to trusted users only, preventing unprivileged exploitation until the kernel patch is applied

Generated by OpenCVE AI on May 26, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6253-1 linux security update
History

Tue, 26 May 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sun, 17 May 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
References

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance. Return -EINVAL if the requested entry count exceeds the limit (cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)
Title drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-17T15:21:21.413Z

Reserved: 2026-01-13T15:37:46.021Z

Link: CVE-2026-23468

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:34.330

Modified: 2026-05-26T14:34:20.107

Link: CVE-2026-23468

cve-icon Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23468 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T17:00:13Z

Weaknesses