CVE-2026-52987 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: avoid double drm_exec_fini() in userq validate

When new_addition is true, amdgpu_userq_vm_validate() calls
drm_exec_fini(&exec) before iterating over the collected HMM ranges and
calling amdgpu_ttm_tt_get_user_pages().

If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to
unlock_all and calls drm_exec_fini(&exec) a second time on the same
exec object. drm_exec_fini() is not idempotent: it frees exec->objects
and may also drop exec->contended and finalize the ww acquire context.

Route that error path directly to the range cleanup once exec has
already been finalized.

Issue found using a prototype static analysis tool
and confirmed by code review.

(cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when amdgpu_userq_vm_validate calls drm_exec_fini twice with the same execution object due to an error path in amdgpu_ttm_tt_get_user_pages. Because drm_exec_fini is not idempotent and frees internal structures on the first call, the second call corrupts kernel memory and can trigger a crash, resulting in denial of service.

Affected Systems

Affected systems are any Linux distributions running kernel versions that contain the unpatched amdgpu driver code. The exact kernel versions are not listed in the advisory, so any system that has not applied the commit that removed the double call is potentially vulnerable. Distributions using the default kernel or custom build with AMDGPU support may be impacted.

Risk and Exploitability

The CVSS score is not provided; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. No publicly documented exploits are known. The risk appears limited to accidental or intentional execution of the error path, which requires failures in page mapping during AMDGPU operation. However, because the flaw can cause a kernel panic, the potential impact remains high and warrants immediate patching. No commercial exploitation evidence suggests a low exploitation likelihood, but the absence of a known exploit does not eliminate risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`42f148788469792df207751e2339ef2bb8a1e33e`	affected	< c7c3ae7c01e5a0742b93cb9b40800bdd7f811e38
`42f148788469792df207751e2339ef2bb8a1e33e`	affected	< 508babf310365f1107a2e8831c267c292a286818

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes commit 2802952e4a07306da6ebe813ff1acacc5691851a, which eliminates the double drm_exec_fini call.
If an update is not yet available, limit or block applications that generate large numbers of amdgpu kernel memory mappings to reduce the likelihood of reaching the error path.
Monitor system logs for kernel panics or related memory corruption events and schedule timely patch deployment once the update is available.

Generated by OpenCVE AI on June 24, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/508babf310365f1107a2e8831c267c292a286818
https://git.kernel.org/stable/c/c7c3ae7c01e5a0742b93cb9b40800bdd7f811e38

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415 CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drm_exec_fini() in userq validate When new_addition is true, amdgpu_userq_vm_validate() calls drm_exec_fini(&exec) before iterating over the collected HMM ranges and calling amdgpu_ttm_tt_get_user_pages(). If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to unlock_all and calls drm_exec_fini(&exec) a second time on the same exec object. drm_exec_fini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context. Route that error path directly to the range cleanup once exec has already been finalized. Issue found using a prototype static analysis tool and confirmed by code review. (cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)
Title		drm/amdgpu: avoid double drm_exec_fini() in userq validate
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/508babf310365f1107a2e8831c267c292a286818 https://git.kernel.org/stable/c/c7c3ae7c01e5a0742b93cb9b40800bdd7f811e38

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:01.633Z

Updated: 2026-06-24T16:29:01.633Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52987

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses

CWE-415
Double Free
CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object