CVE-2026-31765 - Vulnerability Details

- drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB

Currently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while
KFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with
4K pages, both values match (8KB), so allocation and reserved space
are consistent.

However, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,
while the reserved trap area remains 8KB. This mismatch causes the
kernel to crash when running rocminfo or rccl unit tests.

Kernel attempted to read user page (2) - exploit attempt? (uid: 1001)
BUG: Kernel NULL pointer dereference on read at 0x00000002
Faulting instruction address: 0xc0000000002c8a64
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
CPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E
6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY
Tainted: [E]=UNSIGNED_MODULE
Hardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006
of:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries
NIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730
REGS: c0000001e0957580 TRAP: 0300 Tainted: G E
MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24008268
XER: 00000036
CFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000
IRQMASK: 1
GPR00: c00000000125d908 c0000001e0957820 c0000000016e8100
c00000013d814540
GPR04: 0000000000000002 c00000013d814550 0000000000000045
0000000000000000
GPR08: c00000013444d000 c00000013d814538 c00000013d814538
0000000084002268
GPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff
0000000000020000
GPR16: 0000000000000000 0000000000000002 c00000015f653000
0000000000000000
GPR20: c000000138662400 c00000013d814540 0000000000000000
c00000013d814500
GPR24: 0000000000000000 0000000000000002 c0000001e0957888
c0000001e0957878
GPR28: c00000013d814548 0000000000000000 c00000013d814540
c0000001e0957888
NIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0
LR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00
Call Trace:
0xc0000001e0957890 (unreliable)
__mutex_lock.constprop.0+0x58/0xd00
amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]
kfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]
kfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]
kfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]
kfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]
kfd_ioctl+0x514/0x670 [amdgpu]
sys_ioctl+0x134/0x180
system_call_exception+0x114/0x300
system_call_vectored_common+0x15c/0x2ec

This patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and
KFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve
64 KB for the trap in the address space, but only allocate 8 KB within
it. With this approach, the allocation size never exceeds the reserved
area.

(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs because the AMDGPU driver reserves a 64‑KB trap area but allocates only 8‑KB when the kernel page size is 64‑KB, causing a null pointer dereference during GPU memory allocation. When a process triggers an amdgpu ioctl that performs this allocation, the kernel crashes, emitting an Oops and requiring a reboot. The result is a denial of service that disrupts normal GPU‑related operations such as running rocminfo or unit tests.

Affected Systems

This vulnerability affects the Linux kernel’s amdgpu driver in builds that define AMDGPU_VA_RESERVED_TRAP_SIZE as 8‑KB and run on architectures supporting 64‑KB pages, notably POWER10 machines. It was observed in the 6.19.0‑rc4 kernel before the commit that aligns the reserved size with the page size, so any kernel version lacking that patch is susceptible.

Risk and Exploitability

The defect can be triggered by any local process that issues the relevant amdgpu ioctl, so privilege escalation is not required. The likely attack vector is a local user invoking GPU utilities such as rocminfo, which internally call the affected ioctl. Because the attack only causes a kernel crash, the exploitable conditions are straightforward and the likelihood of in‑the‑wild exploitation is moderate. EPSS data is not available, the flaw has not been listed in CISA KEV, and no CVSS score is published, but the described impact—an immediate kernel crash—constitutes a serious denial of service path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`34a1de0f79352086884553f78db271f957a98583`	affected	< 6b2614a0ff05a2d2836311425091c8feca6f0c21
`34a1de0f79352086884553f78db271f957a98583`	affected	< 77c918eaa4c916751769242567407f61c6af142a
`34a1de0f79352086884553f78db271f957a98583`	affected	< d3508cf822c4d96d3e492210314f8f6f2da7df58
`34a1de0f79352086884553f78db271f957a98583`	affected	< 4487571ef17a30d274600b3bd6965f497a881299

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[34a1de0f79352086884553f78db271f957a98583,6b2614a0ff05a2d2836311425091c8feca6f0c21)`	affected	code_commit	—
`[34a1de0f79352086884553f78db271f957a98583,77c918eaa4c916751769242567407f61c6af142a)`	affected	code_commit	—
`[34a1de0f79352086884553f78db271f957a98583,d3508cf822c4d96d3e492210314f8f6f2da7df58)`	affected	code_commit	—
`[34a1de0f79352086884553f78db271f957a98583,4487571ef17a30d274600b3bd6965f497a881299)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	semver	—
`[0,6.9)`	unaffected	semver	—
`[6.12.81,6.12.*]`	unaffected	generic	—
`[6.18.22,6.18.*]`	unaffected	generic	—
`[6.19.12,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install a kernel version that includes the AMDGPU_VA_RESERVED_TRAP_SIZE change or backport the patch and rebuild the kernel.
Reboot the system or reload the amdgpu kernel module to apply the new constants.
Verify that GPU utilities such as rocminfo or rccl unit tests no longer trigger Oops messages; if they continue to crash, perform further investigation or apply additional vendor patches.

Generated by OpenCVE AI on May 2, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4487571ef17a30d274600b3bd6965f497a881299
https://git.kernel.org/stable/c/6b2614a0ff05a2d2836311425091c8feca6f0c21
https://git.kernel.org/stable/c/77c918eaa4c916751769242567407f61c6af142a
https://git.kernel.org/stable/c/d3508cf822c4d96d3e492210314f8f6f2da7df58
https://lore.kernel.org/linux-cve-announce/2026050146-CVE-2026-31765-19a6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31765
https://www.cve.org/CVERecord?id=CVE-2026-31765

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026050146-CVE-2026-31765-19a6@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31765 https://www.cve.org/CVERecord?id=CVE-2026-31765

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB Currently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while KFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with 4K pages, both values match (8KB), so allocation and reserved space are consistent. However, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB, while the reserved trap area remains 8KB. This mismatch causes the kernel to crash when running rocminfo or rccl unit tests. Kernel attempted to read user page (2) - exploit attempt? (uid: 1001) BUG: Kernel NULL pointer dereference on read at 0x00000002 Faulting instruction address: 0xc0000000002c8a64 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries CPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E 6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY Tainted: [E]=UNSIGNED_MODULE Hardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries NIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730 REGS: c0000001e0957580 TRAP: 0300 Tainted: G E MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24008268 XER: 00000036 CFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000 IRQMASK: 1 GPR00: c00000000125d908 c0000001e0957820 c0000000016e8100 c00000013d814540 GPR04: 0000000000000002 c00000013d814550 0000000000000045 0000000000000000 GPR08: c00000013444d000 c00000013d814538 c00000013d814538 0000000084002268 GPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff 0000000000020000 GPR16: 0000000000000000 0000000000000002 c00000015f653000 0000000000000000 GPR20: c000000138662400 c00000013d814540 0000000000000000 c00000013d814500 GPR24: 0000000000000000 0000000000000002 c0000001e0957888 c0000001e0957878 GPR28: c00000013d814548 0000000000000000 c00000013d814540 c0000001e0957888 NIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0 LR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00 Call Trace: 0xc0000001e0957890 (unreliable) __mutex_lock.constprop.0+0x58/0xd00 amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu] kfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu] kfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu] kfd_process_device_init_vm+0xd8/0x2e0 [amdgpu] kfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu] kfd_ioctl+0x514/0x670 [amdgpu] sys_ioctl+0x134/0x180 system_call_exception+0x114/0x300 system_call_vectored_common+0x15c/0x2ec This patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and KFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve 64 KB for the trap in the address space, but only allocate 8 KB within it. With this approach, the allocation size never exceeds the reserved area. (cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)
Title		drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4487571ef17a30d274600b3bd6965f497a881299 https://git.kernel.org/stable/c/6b2614a0ff05a2d2836311425091c8feca6f0c21 https://git.kernel.org/stable/c/77c918eaa4c916751769242567407f61c6af142a https://git.kernel.org/stable/c/d3508cf822c4d96d3e492210314f8f6f2da7df58

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:55.907Z

Updated: 2026-05-01T14:14:55.907Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31765

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:39.633

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31765

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31765 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses

CWE-131

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object