CVE-2026-23468 - Vulnerability Details

- drm/amdgpu: Limit BO list entry count to prevent resource exhaustion

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Limit BO list entry count to prevent resource exhaustion

Userspace can pass an arbitrary number of BO list entries via the
bo_number field. Although the previous multiplication overflow check
prevents out-of-bounds allocation, a large number of entries could still
cause excessive memory allocation (up to potentially gigabytes) and
unnecessarily long list processing times.

Introduce a hard limit of 128k entries per BO list, which is more than
sufficient for any realistic use case (e.g., a single list containing all
buffers in a large scene). This prevents memory exhaustion attacks and
ensures predictable performance.

Return -EINVAL if the requested entry count exceeds the limit

(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)

Published: 2026-04-03

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s AMDGPU driver, userspace can provide an arbitrarily large number of buffer object (BO) list entries through the bo_number field. The previous overflow check stops out‑of‑bounds allocation but does not limit how many entries can be requested. A large request can therefore cause the driver to allocate a massive amount of memory—potentially many gigabytes—and to perform very long list traversals, leading to severe memory exhaustion and slowed system performance. The fix introduces a hard limit of 128 000 entries per BO list, and returns an error if the requested count exceeds this limit, preventing the excessive allocation from occurring.

Affected Systems

This issue affects the AMDGPU component of the Linux kernel. The vulnerability is present in all kernel versions that compile the affected driver before the commit that enforces the 128 000 entry limit. No specific version ranges are listed, so any kernel build without the patch is potentially vulnerable.

Risk and Exploitability

The attack requires a process that can communicate with the AMDGPU driver, typically a privileged or user‑space application with DRM access. Because the vulnerability relies on kernel‑mode allocation, exploitation is likely limited to local or privileged users, reducing the likelihood of widespread remote attacks. The lack of an EPSS score and absence from the CISA KEV catalog suggest moderate exploitation risk, but the potential for DoS by exhausting system memory remains a serious concern for affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d38ceaf99ed015f2a0b9af3499791bd3a3daae21`	affected	< 2723e6851309531ce61aed74e93a0cd268cc862a
`d38ceaf99ed015f2a0b9af3499791bd3a3daae21`	affected	< 5ce4a38e6c2488949e373d5066303f9c128db614
`d38ceaf99ed015f2a0b9af3499791bd3a3daae21`	affected	< f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9
`d38ceaf99ed015f2a0b9af3499791bd3a3daae21`	affected	< 6270b1a5dab94665d7adce3dc78bc9066ed28bdd

Linux

affected

Version	Status	Constraints
`4.2`	affected	—
`0`	unaffected	< 4.2
`6.12.86`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5ce4a38e6c2488949e373d5066303f9c128db614)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6270b1a5dab94665d7adce3dc78bc9066ed28bdd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the patch limiting BO list entry counts
Verify that the kernel source includes commit 688b87d39e0aa8135105b40dc167d74b5ada5332 or its equivalent
Reboot the system after the kernel upgrade to activate the updated driver
If an immediate kernel upgrade is not possible, restrict untrusted processes from accessing the GPU driver and monitor system memory usage for abnormal growth

Generated by OpenCVE AI on April 3, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6253-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2723e6851309531ce61aed74e93a0cd268cc862a
https://git.kernel.org/stable/c/5ce4a38e6c2488949e373d5066303f9c128db614
https://git.kernel.org/stable/c/6270b1a5dab94665d7adce3dc78bc9066ed28bdd
https://git.kernel.org/stable/c/f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9
https://lore.kernel.org/linux-cve-announce/2026040321-CVE-2026-23468-8be9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23468
https://www.cve.org/CVERecord?id=CVE-2026-23468

History

Thu, 07 May 2026 05:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/2723e6851309531ce61aed74e93a0cd268cc862a

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026040321-CVE-2026-23468-8be9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23468 https://www.cve.org/CVERecord?id=CVE-2026-23468

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance. Return -EINVAL if the requested entry count exceeds the limit (cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)
Title		drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5ce4a38e6c2488949e373d5066303f9c128db614 https://git.kernel.org/stable/c/6270b1a5dab94665d7adce3dc78bc9066ed28bdd https://git.kernel.org/stable/c/f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:47.207Z

Updated: 2026-05-07T04:35:04.390Z

Reserved: 2026-01-13T15:37:46.021Z

Link: CVE-2026-23468

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:34.330

Modified: 2026-05-07T06:16:03.330

Link: CVE-2026-23468

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23468 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:15:45Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object