CVE-2026-46229 - Vulnerability Details

- drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure

KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE
but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated
VRAM with stale data from prior use observable by compute kernels.

The GEM ioctl path already sets VRAM_CLEARED for all userspace
allocations via amdgpu_gem_create_ioctl() and
amdgpu_mode_dumb_create(). The KFD path was missing this flag,
allowing stale page table remnants to leak into user buffers.

This causes crashes in RCCL P2P transport where non-zero data in
ptrExchange/head/tail fields corrupts the protocol handshake.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allowed compute kernels with access to AMDGPU VRAM to read stale data that remained from previous allocations before the buffer was wiped, exposing potentially sensitive information and causing crashes when pointer exchange fields were corrupted. This is an information exposure flaw that could allow privileged users to leak data from GPU memory.

Affected Systems

Linux kernel across all distributions. The defect was in the AMD Kernel Fusion Driver (KFD) path for VRAM allocation; the patch is incorporated via the commit sequence referenced in the advisory URLs. No specific fixed version is listed, but any kernel containing those changes is immune.

Risk and Exploitability

The flaw is local to systems that support the AMD KFD interface. An attacker who can execute compute kernels on the affected host could read stale VRAM content, potentially leaking sensitive data. The CVSS score of 5.5 indicates moderate severity, while the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, meaning the probability of exploitation is low. However, the impact remains significant for privileged users with compute‑kernel privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6856e4b65f64eeb3f17148f79b36c1d60c627529`	affected	< 1db431380879fd9d28b763a88a0c0431be5be8df
`6856e4b65f64eeb3f17148f79b36c1d60c627529`	affected	< 32b153658f017ad2f5bf8aab479e8d16ac95bc3a
`6856e4b65f64eeb3f17148f79b36c1d60c627529`	affected	< 77d0b5d11387071770246fd0185a69fa28e8e109
`6856e4b65f64eeb3f17148f79b36c1d60c627529`	affected	< 047d44d8d29a6a1a5757256837aa9dd78e3cd0b5
`6856e4b65f64eeb3f17148f79b36c1d60c627529`	affected	< ad52d61d82181dbdb7f05826de38352d5e550cc2

Linux

affected

Version	Status	Constraints
`5.4`	affected	—
`0`	unaffected	< 5.4
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1db431380879fd9d28b763a88a0c0431be5be8df)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,32b153658f017ad2f5bf8aab479e8d16ac95bc3a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,77d0b5d11387071770246fd0185a69fa28e8e109)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,047d44d8d29a6a1a5757256837aa9dd78e3cd0b5)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ad52d61d82181dbdb7f05826de38352d5e550cc2)`	affected	code_commit	—
`[0,6.6.140)`	affected	semver	—
`[0,6.12.90)`	affected	semver	—
`[0,6.18.32)`	affected	semver	—
`[0,7.0.9)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.140,7.0.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the patch, which can be identified by the commit references supplied.
If a kernel update cannot be applied immediately, disable or refrain from using KFD compute workloads until the kernel is updated.
Keep AMD GPU drivers and firmware up to date, as they may contain additional mitigations for VRAM handling.

Generated by OpenCVE AI on June 10, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/047d44d8d29a6a1a5757256837aa9dd78e3cd0b5
https://git.kernel.org/stable/c/1db431380879fd9d28b763a88a0c0431be5be8df
https://git.kernel.org/stable/c/32b153658f017ad2f5bf8aab479e8d16ac95bc3a
https://git.kernel.org/stable/c/77d0b5d11387071770246fd0185a69fa28e8e109
https://git.kernel.org/stable/c/ad52d61d82181dbdb7f05826de38352d5e550cc2
https://lore.kernel.org/linux-cve-announce/2026052839-CVE-2026-46229-e297@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46229
https://www.cve.org/CVERecord?id=CVE-2026-46229

History

Wed, 10 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 29 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200 CWE-548

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-909
References		https://lore.kernel.org/linux-cve-announce/2026052839-CVE-2026-46229-e297@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46229 https://www.cve.org/CVERecord?id=CVE-2026-46229

Thu, 28 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-548

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels. The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers. This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.
Title		drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/047d44d8d29a6a1a5757256837aa9dd78e3cd0b5 https://git.kernel.org/stable/c/1db431380879fd9d28b763a88a0c0431be5be8df https://git.kernel.org/stable/c/32b153658f017ad2f5bf8aab479e8d16ac95bc3a https://git.kernel.org/stable/c/77d0b5d11387071770246fd0185a69fa28e8e109 https://git.kernel.org/stable/c/ad52d61d82181dbdb7f05826de38352d5e550cc2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:51.300Z

Updated: 2026-06-14T18:04:17.225Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46229

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:38.520

Modified: 2026-06-10T21:12:21.960

Link: CVE-2026-46229

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46229 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses

CWE-909
Missing Initialization of Resource
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object