CVE-2026-43400 - Vulnerability Details

- drm/amdgpu: add upper bound check on user inputs in signal ioctl

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: add upper bound check on user inputs in signal ioctl

Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and
could be exploited.

So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.

(cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5)

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the amdgpu driver’s ioctl handler allows callers to provide arbitrarily large numerical values that cause the kernel to allocate memory until the system runs out of memory, triggering OOM killers and crashing the system. The weakness is an input validation failure that can be abused to exhaust system resources, resulting in availability loss for the affected host. This vulnerability a classic example of uncontrolled resource consumption.

Affected Systems

The vulnerability affects the Linux kernel and its AMDGPU DRM driver. No specific kernel version ranges are cited, so any version that includes the exposed code path before the upper‑bound check is vulnerable. Administrators should verify whether their installed kernel has been patched with the fix present in the 46630d966b99b0fc6cb01fef4110587f3375a0c0 commit or later.

Risk and Exploitability

The CVSS score is not provided in the data, and the EPSS score is unavailable, so precise exploitation likelihood cannot be quantified from the available information. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local use of the amdgpu ioctl interface, implying that a user with access to the relevant device files could trigger the flaw. Exploitation would require the attacker to construct a privileged or otherwise capable user context to invoke the ioctl with oversized arguments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a292fdecd72834b3bec380baa5db1e69e7f70679`	affected	< 6fff5204d8aa26b1be50b6427f833bd3e8899c4f
`a292fdecd72834b3bec380baa5db1e69e7f70679`	affected	< 46630d966b99b0fc6cb01fef4110587f3375a0c0
`a292fdecd72834b3bec380baa5db1e69e7f70679`	affected	< ea78f8c68f4f6211c557df49174c54d167821962

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6fff5204d8aa26b1be50b6427f833bd3e8899c4f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,46630d966b99b0fc6cb01fef4110587f3375a0c0)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ea78f8c68f4f6211c557df49174c54d167821962)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel version that contains the commit adding the upper‑bound check for amdgpu_userq_signal_ioctl.
If you compile your own kernel, cherry‑pick the commit SHA 46630d966b99b0fc6cb01fef4110587f3375a0c0 (or the equivalent later commit) into the kernel source and rebuild it.
Consider disabling or restricting the AMDGPU DRM device access for untrusted users by adjusting /dev/dri/card* permissions so that only privileged processes can call the ioctl.
Limit or monitor memory usage on the system and configure OOM settings to reduce the impact of any potential abuse of the driver.

Generated by OpenCVE AI on May 9, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/46630d966b99b0fc6cb01fef4110587f3375a0c0
https://git.kernel.org/stable/c/6fff5204d8aa26b1be50b6427f833bd3e8899c4f
https://git.kernel.org/stable/c/ea78f8c68f4f6211c557df49174c54d167821962
https://lore.kernel.org/linux-cve-announce/2026050839-CVE-2026-43400-3a71@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43400
https://www.cve.org/CVERecord?id=CVE-2026-43400

History

Sat, 09 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1284
References		https://lore.kernel.org/linux-cve-announce/2026050839-CVE-2026-43400-3a71@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43400 https://www.cve.org/CVERecord?id=CVE-2026-43400

Fri, 08 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in signal ioctl Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. (cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5)
Title		drm/amdgpu: add upper bound check on user inputs in signal ioctl
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/46630d966b99b0fc6cb01fef4110587f3375a0c0 https://git.kernel.org/stable/c/6fff5204d8aa26b1be50b6427f833bd3e8899c4f https://git.kernel.org/stable/c/ea78f8c68f4f6211c557df49174c54d167821962

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:42.225Z

Updated: 2026-05-09T04:10:48.826Z

Reserved: 2026-05-01T14:12:56.007Z

Link: CVE-2026-43400

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:51.430

Modified: 2026-05-08T15:16:51.430

Link: CVE-2026-43400

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43400 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses

CWE-1284

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object