Description
In the Linux kernel, the following vulnerability has been resolved:

drm/buddy: Prevent BUG_ON by validating rounded allocation

When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is
rounded up to the next power-of-two via roundup_pow_of_two().
Similarly, for non-contiguous allocations with large min_block_size,
the size is aligned up via round_up(). Both operations can produce a
rounded size that exceeds mm->size, which later triggers
BUG_ON(order > mm->max_order).

Example scenarios:
- 9G CONTIGUOUS allocation on 10G VRAM memory:
roundup_pow_of_two(9G) = 16G > 10G
- 9G allocation with 8G min_block_size on 10G VRAM memory:
round_up(9G, 8G) = 16G > 10G

Fix this by checking the rounded size against mm->size. For
non-contiguous or range allocations where size > mm->size is invalid,
return -EINVAL immediately. For contiguous allocations without range
restrictions, allow the request to fall through to the existing
__alloc_contig_try_harder() fallback.

This ensures invalid user input returns an error or uses the fallback
path instead of hitting BUG_ON.

v2: (Matt A)
- Add Fixes, Cc stable, and Closes tags for context
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability occurs in the Linux kernel driver for DRM when large contiguous or non‑contiguous memory allocations are requested. The requested size is rounded up to the next power‑of‑two or aligned up to the minimum block size, and if that rounded value exceeds the size of the memory region (mm->size) a BUG_ON is triggered during allocation. The resulting kernel panic results in a system crash, presenting a denial‑of‑service attack surface. The weakness is a failure to validate allocation bounds before proceeding to the kernel allocation path. Based on the description, it is inferred that the vulnerability is directly related to user‑supplied allocation size parameters and the kernel’s rounding logic.

Affected Systems

Any Linux kernel that includes the drm/buddy components and supports the DRM_BUDDY_CONTIGUOUS_ALLOCATION feature is affected, regardless of distribution. The specific kernel versions are not enumerated in the data, so all kernels prior to the patch that contains the round‑size validation fix are vulnerable.

Risk and Exploitability

The exploit is local to processes that can issue DRM allocation requests, such as graphics applications or drivers. Because the bug leads to an unconditional crash, an attacker with the ability to trigger the allocation path can cause a denial‑of‑service. The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, so the historical exploit probability and impact classification remain unknown. With a CVSS score of 5.5, the vulnerability is classified as medium severity, indicating moderate risk of system disruption. The likely attack vector is local, as the bug requires a process to request an oversized buffer. Based on the description, it is inferred that the attacker must have permission to influence graphics allocation requests or directly load a driver to trigger the rounding bug. The patch adds a bounds check before the allocation, returning -EINVAL for requests that would exceed the memory region, thereby eliminating the crash. In path implementations that lack a range restriction, the request is redirected to a fallback that handles oversized allocations safely.

Generated by OpenCVE AI on May 13, 2026 at 16:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that includes the round‑size validation fix for DRM_BUDDY allocations
  • If immediate patching is unavailable, disable the DRM_BUDDY_CONTIGUOUS_ALLOCATION feature or limit allocation sizes to within mm->size to avoid the rounding bug
  • Verify that no legacy DRM drivers or graphics applications are requesting allocations larger than the available VRAM before applying the patch

Generated by OpenCVE AI on May 13, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Prevent BUG_ON by validating rounded allocation When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order). Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G - 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback. This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON. v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context
Title drm/buddy: Prevent BUG_ON by validating rounded allocation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:07.323Z

Reserved: 2026-05-01T14:12:55.990Z

Link: CVE-2026-43169

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:35.197

Modified: 2026-05-13T14:51:48.950

Link: CVE-2026-43169

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43169 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T16:45:44Z

Weaknesses