Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: avoid double drm_exec_fini() in userq validate

When new_addition is true, amdgpu_userq_vm_validate() calls
drm_exec_fini(&exec) before iterating over the collected HMM ranges and
calling amdgpu_ttm_tt_get_user_pages().

If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to
unlock_all and calls drm_exec_fini(&exec) a second time on the same
exec object. drm_exec_fini() is not idempotent: it frees exec->objects
and may also drop exec->contended and finalize the ww acquire context.

Route that error path directly to the range cleanup once exec has
already been finalized.

Issue found using a prototype static analysis tool
and confirmed by code review.

(cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates in the AMDGPU driver’s user queue validation routine. When a page‑mapping request fails, the driver calls drm_exec_fini twice on the same execution object. Because drm_exec_fini is not idempotent, the second call attempts to free already‑freed structures and can corrupt kernel memory, ultimately causing a crash that results in a denial‑of‑service. The flaw is a double‑free and use‑after‑free issue (CWE‑1341).

Affected Systems

Any Linux system running a kernel revision that contains the unpatched amdgpu code is potentially impacted. The advisory does not specify affected kernel versions, so any distribution whose kernel has not incorporated commit 2802952e4a07306da6ebe813ff1acacc5691851a remains vulnerable. This includes the upstream kernel shipped with many mainstream Linux distributions that enable AMDGPU support out of the box.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate‑to‑high severity, while the EPSS score of <1% suggests a low likelihood of exploitation at this not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would likely require a driver fault during AMDGPU operation—such as a failed page mapping—that triggers the error path. No public exploits have been documented, but the kernel panic that can result from the double cleanup presents a serious reliability risk and warrants immediate patching.

Generated by OpenCVE AI on June 28, 2026 at 13:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes commit 2802952e4a07306da6ebe813ff1acacc5691851a to eliminate the double drm_exec_fini call, directly addressing the double‑free flaw.
  • If an immediate kernel update is not possible, consider temporarily disabling the AMDGPU kernel module to avoid the vulnerable code path until the patch is applied.
  • Monitor boot and kernel logs for unexpected panics or memory corruption events. Observing such anomalies indicates that the vulnerable path may have been triggered; this monitoring step is recommended as a detection measure.

Generated by OpenCVE AI on June 28, 2026 at 13:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Sat, 27 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drm_exec_fini() in userq validate When new_addition is true, amdgpu_userq_vm_validate() calls drm_exec_fini(&exec) before iterating over the collected HMM ranges and calling amdgpu_ttm_tt_get_user_pages(). If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to unlock_all and calls drm_exec_fini(&exec) a second time on the same exec object. drm_exec_fini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context. Route that error path directly to the range cleanup once exec has already been finalized. Issue found using a prototype static analysis tool and confirmed by code review. (cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)
Title drm/amdgpu: avoid double drm_exec_fini() in userq validate
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:45:35.716Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52987

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52987 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:15:16Z

Weaknesses
  • CWE-1341

    Multiple Releases of Same Resource or Handle