CVE-2026-46218 - Vulnerability Details

- drm/amdgpu: Add bounds checking to ib_{get,set}_value

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Add bounds checking to ib_{get,set}_value

The uvd/vce/vcn code accesses the IB at predefined offsets without
checking that the IB is large enough. Check the bounds here. The caller
is responsible for making sure it can handle arbitrary return values.

Also make the idx a uint32_t to prevent overflows causing the condition
to fail.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel AMDGPU driver, the uvd/vce/vcn components access instruction buffers without first verifying that the buffer is large enough. This missing bounds check permits the kernel to read or write memory beyond the intended buffer boundaries, corrupting kernel memory. The fix introduces explicit bounds verification and changes the index type to an unsigned 32‑bit value to prevent overflow conditions that could bypass the check. If exploited, an attacker able to invoke this code locally could achieve arbitrary kernel‑level code execution and elevate privileges to root on the affected system.

Affected Systems

All Linux kernel builds that include the AMDGPU driver and its uvd, vce, and vcn components are affected if they have not yet received the bounds‑checking update. No specific version range is cited, so any system running a kernel with this driver before the patch is at risk.

Risk and Exploitability

The EPSS score of 0.00018 (<1%) indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been observed. This is a local kernel vulnerability; the attacker requires local access to the machine. A successful exploit could grant root privileges, but the low EPSS score and absence from KEV imply that the risk remains moderate for most organizations while recognizing the potentially high impact if exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0fb5cb556b249b2b64c0f818136c4c3e838ef53f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a853178d23e774adfe3a35073c375b04b3b20f7d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< fec8b11b55e53ff51a741e56894fe331a516f5c6
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 66085e206431ef88ce36f53c1f53d570790ccc9e
`0`	affected	< 6.6.140
`0`	affected	< 6.12.90
`0`	affected	< 6.18.32
`0`	affected	< 7.0.9

Linux

affected

Version	Status	Constraints
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0fb5cb556b249b2b64c0f818136c4c3e838ef53f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a853178d23e774adfe3a35073c375b04b3b20f7d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fec8b11b55e53ff51a741e56894fe331a516f5c6)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,66085e206431ef88ce36f53c1f53d570790ccc9e)`	affected	code_commit	—
`[0,6.6.140)`	affected	semver	—
`[0,6.12.90)`	affected	semver	—
`[0,6.18.32)`	affected	semver	—
`[0,7.0.9)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the bounds‑checking fix for the AMDGPU driver.
If the latest kernel update is not available, configure the kernel to disable the AMDGPU driver or unload it for services that do not require GPU acceleration.
Verify that any third‑party drivers or firmware interacting with the GPU do not use the vulnerable uvd/vce/vcn code paths; apply vendor‑specific patches if available.

Generated by OpenCVE AI on May 29, 2026 at 05:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0fb5cb556b249b2b64c0f818136c4c3e838ef53f
https://git.kernel.org/stable/c/66085e206431ef88ce36f53c1f53d570790ccc9e
https://git.kernel.org/stable/c/a853178d23e774adfe3a35073c375b04b3b20f7d
https://git.kernel.org/stable/c/ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7
https://git.kernel.org/stable/c/fec8b11b55e53ff51a741e56894fe331a516f5c6
https://lore.kernel.org/linux-cve-announce/2026052836-CVE-2026-46218-a849@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46218
https://www.cve.org/CVERecord?id=CVE-2026-46218

History

Fri, 29 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20 CWE-788

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026052836-CVE-2026-46218-a849@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46218 https://www.cve.org/CVERecord?id=CVE-2026-46218

Thu, 28 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-788

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add bounds checking to ib_{get,set}_value The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values. Also make the idx a uint32_t to prevent overflows causing the condition to fail.
Title		drm/amdgpu: Add bounds checking to ib_{get,set}_value
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0fb5cb556b249b2b64c0f818136c4c3e838ef53f https://git.kernel.org/stable/c/66085e206431ef88ce36f53c1f53d570790ccc9e https://git.kernel.org/stable/c/a853178d23e774adfe3a35073c375b04b3b20f7d https://git.kernel.org/stable/c/ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7 https://git.kernel.org/stable/c/fec8b11b55e53ff51a741e56894fe331a516f5c6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:34.367Z

Updated: 2026-05-28T09:40:34.367Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46218

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:37.423

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46218

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46218 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T05:45:36Z

Weaknesses

CWE-131

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object