Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify

Invalidating a dmabuf will impact other users of the shared BO.
In the scenario where process A moves the BO, it needs to inform
process B about the move and process B will need to update its
page table.

The commit fixes a synchronisation bug caused by the use of the
ticket: it made amdgpu_vm_handle_moved behave as if updating
the page table immediately was correct but in this case it's not.

An example is the following scenario, with 2 GPUs and glxgears
running on GPU0 and Xorg running on GPU1, on a system where P2P
PCI isn't supported:

glxgears:
export linear buffer from GPU0 and import using GPU1
submit frame rendering to GPU0
submit tiled->linear blit
Xorg:
copy of linear buffer

The sequence of jobs would be:
drm_sched_job_run # GPU0, frame rendering
drm_sched_job_queue # GPU0, blit
drm_sched_job_done # GPU0, frame rendering
drm_sched_job_run # GPU0, blit
move linear buffer for GPU1 access #
amdgpu_dma_buf_move_notify -> update pt # GPU0

It this point the blit job on GPU0 is still running and would
likely produce a page fault.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a synchronization bug in the amdgpu driver’s handling of dmabuf move notifications. When a buffer object is relocated from one GPU to another, the driver assumes the destination GPU’s page table has been updated immediately, but the update occurs asynchronously. This mis‑sync can cause a race condition where the source GPU still accesses the buffer after it has been moved, potentially resulting in a page fault. The faulty logic is tied to the ticket mechanism controlling the move operation.

Affected Systems

The flaw exists in the Linux kernel’s amdgpu driver. No specific kernel version list is provided, so any kernel containing the mentioned code before the reported commit is vulnerable. The issue is relevant on systems running multiple GPUs that share buffer objects, especially when PCIe peer‑to‑peer is not available. Affected vendors count as Linux kernel; vendors of specific distributions are all that ship the kernel with the unpatched amdgpu code.

Risk and Exploitability

The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog. The flaw can lead to a denial of service by causing a page fault that may disrupt rendering or crash the kernel. The attack vector is inferred to be a local user or process that can initiate GPU workloads that trigger buffer moves, as the bug is triggered during normal operation. No public exploit is documented, but the potential for service disruption remains high for affected systems.

Generated by OpenCVE AI on May 15, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the amdgpu driver patch correcting the dmabuf move notification race.
  • If a distribution update is not yet available, retrieve the upstream commit that implements the fix, apply it to your kernel source tree, rebuild the kernel, and install the patched build.
  • Reduce or disable scenarios that trigger dmabuf moves across GPUs, such as disabling peer‑to‑peer sharing or ensuring buffer objects are not moved while in use by other GPU contexts.

Generated by OpenCVE AI on May 15, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 12 May 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References

Fri, 08 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table. The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpu_vm_handle_moved behave as if updating the page table immediately was correct but in this case it's not. An example is the following scenario, with 2 GPUs and glxgears running on GPU0 and Xorg running on GPU1, on a system where P2P PCI isn't supported: glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blit Xorg: copy of linear buffer The sequence of jobs would be: drm_sched_job_run # GPU0, frame rendering drm_sched_job_queue # GPU0, blit drm_sched_job_done # GPU0, frame rendering drm_sched_job_run # GPU0, blit move linear buffer for GPU1 access # amdgpu_dma_buf_move_notify -> update pt # GPU0 It this point the blit job on GPU0 is still running and would likely produce a page fault.
Title drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:14.662Z

Reserved: 2026-05-01T14:12:56.001Z

Link: CVE-2026-43318

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:40.363

Modified: 2026-05-15T18:22:33.780

Link: CVE-2026-43318

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43318 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:00:07Z

Weaknesses