CVE-2026-31766 - Vulnerability Details

- drm/amdgpu: validate doorbell_offset in user queue creation

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: validate doorbell_offset in user queue creation

amdgpu_userq_get_doorbell_index() passes the user-provided
doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds
checking. An arbitrarily large doorbell_offset can cause the
calculated doorbell index to fall outside the allocated doorbell BO,
potentially corrupting kernel doorbell space.

Validate that doorbell_offset falls within the doorbell BO before
computing the BAR index, using u64 arithmetic to prevent overflow.

(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s amdgpu driver has a flaw where an unbounded doorbell_offset supplied by user space is passed to a function without bounds checking. If an attacker provides a doorbell_offset larger than the allocated doorbell buffer object, the calculated index can reference memory outside that buffer. This out‑of‑bounds write corrupts kernel memory, potentially causing a crash or compromising kernel integrity if the overwritten data is leveraged.

Affected Systems

All Linux kernel releases that include the amdgpu driver before the commit adding bound checking for doorbell_offset are affected. The CVE does not list specific version ranges, so any kernel containing the unvalidated handling routine remains vulnerable until the fix is applied.

Risk and Exploitability

The flaw can be triggered by user‑space code that creates an amdgpu user queue with a malicious doorbell_offset. Because the kernel performs the unchecked calculation, the attack works from a local user context with access to the amdgpu driver. EPSS data is not available and the issue is not in CISA KEV, leaving the exact exploitation likelihood uncertain. The primary risk is kernel memory corruption that could destabilize the system; additional privilege escalation is possible only if the attacker can influence the overwritten data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f09c1e6077abd1bc2ddd2b97e1135215801ca7f9`	affected	< 3543005a42d7e8e12b21897ef6798541bf7cbcd3
`f09c1e6077abd1bc2ddd2b97e1135215801ca7f9`	affected	< 86b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6
`f09c1e6077abd1bc2ddd2b97e1135215801ca7f9`	affected	< a018d1819f158991b7308e4f74609c6c029b670c

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f09c1e6077abd1bc2ddd2b97e1135215801ca7f9,3543005a42d7e8e12b21897ef6798541bf7cbcd3)`	affected	code_commit	—
`[f09c1e6077abd1bc2ddd2b97e1135215801ca7f9,86b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6)`	affected	code_commit	—
`[f09c1e6077abd1bc2ddd2b97e1135215801ca7f9,a018d1819f158991b7308e4f74609c6c029b670c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch for doorbell_offset validation in the amdgpu driver
Ensure the system is rebooted or the amdgpu module is reloaded after the kernel upgrade so that the old, vulnerable code is not present
Limit user access to the amdgpu device nodes so that only trusted users can load the driver or create user queues

Generated by OpenCVE AI on May 2, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3543005a42d7e8e12b21897ef6798541bf7cbcd3
https://git.kernel.org/stable/c/86b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6
https://git.kernel.org/stable/c/a018d1819f158991b7308e4f74609c6c029b670c
https://lore.kernel.org/linux-cve-announce/2026050147-CVE-2026-31766-dd6d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31766
https://www.cve.org/CVERecord?id=CVE-2026-31766

History

Sat, 02 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-787

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026050147-CVE-2026-31766-dd6d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31766 https://www.cve.org/CVERecord?id=CVE-2026-31766

Fri, 01 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-787

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate doorbell_offset in user queue creation amdgpu_userq_get_doorbell_index() passes the user-provided doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds checking. An arbitrarily large doorbell_offset can cause the calculated doorbell index to fall outside the allocated doorbell BO, potentially corrupting kernel doorbell space. Validate that doorbell_offset falls within the doorbell BO before computing the BAR index, using u64 arithmetic to prevent overflow. (cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)
Title		drm/amdgpu: validate doorbell_offset in user queue creation
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3543005a42d7e8e12b21897ef6798541bf7cbcd3 https://git.kernel.org/stable/c/86b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6 https://git.kernel.org/stable/c/a018d1819f158991b7308e4f74609c6c029b670c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:56.622Z

Updated: 2026-05-01T14:14:56.622Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31766

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:39.763

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31766

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31766 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T11:45:41Z

Weaknesses

CWE-1285

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object