Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
that verify fence writeback addresses are dword-aligned. These
assertions can be reached from unprivileged userspace via crafted
DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
scheduler worker thread.

Replace both BUG_ON() calls with WARN_ON() to log the condition without
crashing the kernel. A misaligned fence address at this point indicates
a driver bug, but crashing the kernel is never the correct response when
the assertion is reachable from userspace.

The CS IOCTL path is the correct place to filter invalid submissions;
the ring emission callback is too late to do anything about it.

(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This bug uses two BUG_ON assertions in the AMDGPU driver to verify that a fence writeback address is dword‑aligned. The condition can be reached by an unprivileged user space process that submits a crafted DRM_IOCTL_AMDGPU_CS command. When the misaligned address is detected the kernel panics, taking the host system offline and resulting in a denial of service. The intent of the original code was to signal a driver bug; however, allowing a user to trigger a crash was an inappropriate response. Replacing the assertions with WARN_ON logs the issue without taking the system down.

Affected Systems

All Linux kernel releases that contain the older AMDGPU SDMA4 code before the patch are affected. Linux kernel users with the AMDGPU driver installed could exploit the flaw through the DRM interface; no specific kernel version range was supplied by the CNA.

Risk and Exploitability

The vulnerability is exploitable by any unprivileged user with write access to the DRM device that can submit CS commands. Because it leads only to a kernel panic and does not provide code execution or data exfiltration, the impact is limited to denial of service. No public exploit is known at this time. EPSS data is not available and the issue is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on May 28, 2026 at 13:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch replacing BUG_ON with WARN_ON in drm/amdgpu/sdma4
  • Restrict access to the AMDGPU DRM device so that only privileged processes can open it, or temporarily disable the AMDGPU driver
  • Temporarily blacklist or unload the AMDGPU kernel module until a patched kernel is available, if GPU functionality is not essential

Generated by OpenCVE AI on May 28, 2026 at 13:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread. Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace. The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it. (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Title drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:40:35.971Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46220

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:37.640

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:00:21Z

Weaknesses

No weakness.