Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
that verify fence writeback addresses are dword-aligned. These
assertions can be reached from unprivileged userspace via crafted
DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
scheduler worker thread.

Replace both BUG_ON() calls with WARN_ON() to log the condition without
crashing the kernel. A misaligned fence address at this point indicates
a driver bug, but crashing the kernel is never the correct response when
the assertion is reachable from userspace.

The CS IOCTL path is the correct place to filter invalid submissions;
the ring emission callback is too late to do anything about it.

(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This bug uses two BUG_ON assertions in the AMDGPU driver to verify that a fence writeback address is dword‑aligned. The condition can be reached by an unprivileged user space process that submits a crafted DRM_IOCTL_AMDGPU_CS command. When the misaligned address is detected the kernel panics, taking the host system offline and resulting in a denial of service. The intent of the original code was to signal a driver bug; however, allowing a user to trigger a crash was an inappropriate response. Replacing the assertions with WARN_ON logs the issue without taking the system down.

Affected Systems

All Linux kernel releases that contain the older AMDGPU SDMA4 code before the patch are affected. Linux kernel users with the AMDGPU driver installed could exploit the flaw through the DRM interface; no specific kernel version range was supplied by the CNA. It is inferred that these older releases are affected, as no explicit version range is provided.

Risk and Exploitability

The vulnerability is exploitable by any unprivileged user with write access to the DRM device that can submit CS commands. Because it leads only to a kernel panic and does not provide code execution or data exfiltration, the impact is limited to denial of service. The CVSS score is 5.5, indicating moderate severity. No public exploit is known at this time. The EPSS score is less than 1%, indicating a very low exploit probability, and the issue is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 10, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch replacing BUG_ON with WARN_ON in drm/amdgpu/sdma4, addressing the logic flaw identified by CWE-1285 and CWE-617.
  • Restrict access to the AMDGPU DRM device so that only privileged users can open it, for example by adjusting udev rules or device permissions.
  • If GPU functionality is not essential, temporarily disable, unload, or blacklist the AMDGPU kernel module until a patched kernel is available.

Generated by OpenCVE AI on June 10, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread. Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace. The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it. (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Title drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:03:38.077Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46220

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:37.640

Modified: 2026-06-10T18:45:07.643

Link: CVE-2026-46220

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46220 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:45:40Z

Weaknesses
  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input

  • CWE-617

    Reachable Assertion