CVE-2026-43206 - Vulnerability Details

- drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()

The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8
bytes via memset without checking the buffer size parameter. This allows
unprivileged userspace to trigger an out-of bounds kernel memory write
by passing a small buffer, leading to potential privilege
escalation.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability resides in the Linux kernel's DRM AMDKFD driver. The kfd_event_page_set() function performs a memset operation of KFD_SIGNAL_EVENT_LIMIT * 8 bytes onto a buffer that is not verified against the supplied size argument. If an attacker supplies a buffer smaller than the requested length, the memset writes beyond the buffer boundaries, corrupting adjacent kernel memory. This bug can be abused by an unprivileged user to alter kernel data structures and elevate privileges to root.

Affected Systems

All Linux kernel releases that contain the DRM AMDKFD module are affected prior to the patch. The module is part of the Direct Rendering Manager for AMD GPUs. Customers running custom or distribution kernels with the outdated AMDKFD code must verify whether their kernel version incorporates the fix. The vulnerability compromises the entire kernel memory space rather than only a single device.

Risk and Exploitability

The attack requires local access to the kernel via the DRM interface and knowledge of the buffer size expected by kfd_event_page_set(). No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog. The CVSS score is not indicated, but the impact is a classic privilege escalation that may grant unrestricted system control. While no publicly known exploit exists, out‑of‑bounds writes in kernel code frequently lead to efficient kernel exploits. Administrators should treat this as high risk and apply the available patch promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 3e04bc310d80b46eaf481f1fefcbcb37a187412d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b4034442cb090e4a980bdcc1540948606cbc951b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4857c37c7ba9aa38b9a4c694e8bd8d0091c87940
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 75fb57efdd7863fffbc39db23e9cad7aafda26ed
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4e72f419e4ed44cb3b60506752d8688c20a60a9b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8a70a26c9f34baea6c3199a9862ddaff4554a96d

Linux

affected

Version	Status	Constraints
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3e04bc310d80b46eaf481f1fefcbcb37a187412d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b4034442cb090e4a980bdcc1540948606cbc951b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4857c37c7ba9aa38b9a4c694e8bd8d0091c87940)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,75fb57efdd7863fffbc39db23e9cad7aafda26ed)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4e72f419e4ed44cb3b60506752d8688c20a60a9b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8a70a26c9f34baea6c3199a9862ddaff4554a96d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the AMDKFD kfd_event_page_set fix.
Restrict or block unprivileged users' access to the /dev/dri/kfd device to prevent misuse of the affected function.
Enable kernel hardening options such as KASLR, CFG, and Secure Computing mode to reduce the effectiveness of the out‑of‑bounds write.

Generated by OpenCVE AI on May 6, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3e04bc310d80b46eaf481f1fefcbcb37a187412d
https://git.kernel.org/stable/c/4857c37c7ba9aa38b9a4c694e8bd8d0091c87940
https://git.kernel.org/stable/c/4e72f419e4ed44cb3b60506752d8688c20a60a9b
https://git.kernel.org/stable/c/75fb57efdd7863fffbc39db23e9cad7aafda26ed
https://git.kernel.org/stable/c/8a70a26c9f34baea6c3199a9862ddaff4554a96d
https://git.kernel.org/stable/c/b4034442cb090e4a980bdcc1540948606cbc951b
https://git.kernel.org/stable/c/bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b
https://git.kernel.org/stable/c/de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f

History

Wed, 06 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation.
Title		drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3e04bc310d80b46eaf481f1fefcbcb37a187412d https://git.kernel.org/stable/c/4857c37c7ba9aa38b9a4c694e8bd8d0091c87940 https://git.kernel.org/stable/c/4e72f419e4ed44cb3b60506752d8688c20a60a9b https://git.kernel.org/stable/c/75fb57efdd7863fffbc39db23e9cad7aafda26ed https://git.kernel.org/stable/c/8a70a26c9f34baea6c3199a9862ddaff4554a96d https://git.kernel.org/stable/c/b4034442cb090e4a980bdcc1540948606cbc951b https://git.kernel.org/stable/c/bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b https://git.kernel.org/stable/c/de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:10.937Z

Updated: 2026-05-06T11:28:10.937Z

Reserved: 2026-05-01T14:12:55.993Z

Link: CVE-2026-43206

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:39.903

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43206

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T19:00:05Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object