Description
In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Skip CSD when it has zeroed workgroups

A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2
registers. Kicking off a dispatch with a zero count in any of the three
dimensions is invalid. First, the hardware will process 0 as 65536,
while the user-space driver exposes a maximum of 65535. Over that, a
submission with a zeroed workgroup dimension should be a no-op.

These zeroed counts can reach the dispatch path through an indirect CSD
job, whose workgroup counts are only known once the indirect buffer is
read and may legitimately be zero, but such scenario should only result in
a no-op.

Overwrite the indirect CSD job workgroup counts with the indirect BO
ones, even if they are zeroed, and don't submit the job to the hardware
when any of the workgroup counts is zero, so the job completes immediately
instead of running the shader.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel drm/v3d driver mistakenly allows compute shader dispatches that specify a zero workgroup count to be processed as if the count were 65,536. Hardware therefore interprets a zero value as a massive dispatch, enabling a potentially large number of compute threads to execute when a zero was intended to be a no‑op. This misinterpretation can lead to excessive resource consumption or a crash, effectively creating a denial‑of‑service condition for the system or for other applications that rely on stable GPU behavior. The vulnerability is an example of improper input validation and results in the execution of unintended compute payloads.

Affected Systems

All Linux kernel builds that include the drm/v3d driver are affected. No specific version range is provided, so any kernel prior to the application of the specified patch should be considered vulnerable. The driver runs in kernel space and interfaces with user‑space GPU applications, meaning that any process able to issue GPU workload submissions could trigger the flaw.

Risk and Exploitability

The CVSS, EPSS, and KEV metrics are not reported for this issue, but the lack of a public exploit and the requirement to submit a GPU dispatch suggest that the vulnerability is of moderate severity. Local users with the ability to issue DRM commands could potentially cause a denial of service, while unprivileged exploitation would still be limited to the GPU context of the user. The risk is higher on systems that expose freely modifiable GPU workloads or where the drm/v3d driver is used for non‑reliable workloads. No publicly documented exploits exist at the time of analysis, but the potential for a system crash or resource exhaustion is clear.

Generated by OpenCVE AI on June 25, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that contains the patch committed in 11e6432836394e00d39e468cd514f9ddb66f1e49
  • Disable or blacklist the drm/v3d driver for untrusted users or workloads until a timely update is available
  • Verify that GPU workloads cannot specify zero workgroup dimensions by tightening driver validation or monitoring dispatch logs

Generated by OpenCVE AI on June 25, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-770

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Skip CSD when it has zeroed workgroups A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2 registers. Kicking off a dispatch with a zero count in any of the three dimensions is invalid. First, the hardware will process 0 as 65536, while the user-space driver exposes a maximum of 65535. Over that, a submission with a zeroed workgroup dimension should be a no-op. These zeroed counts can reach the dispatch path through an indirect CSD job, whose workgroup counts are only known once the indirect buffer is read and may legitimately be zero, but such scenario should only result in a no-op. Overwrite the indirect CSD job workgroup counts with the indirect BO ones, even if they are zeroed, and don't submit the job to the hardware when any of the workgroup counts is zero, so the job completes immediately instead of running the shader.
Title drm/v3d: Skip CSD when it has zeroed workgroups
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:27.738Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53139

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T10:30:17Z

Weaknesses
  • CWE-665

    Improper Initialization

  • CWE-770

    Allocation of Resources Without Limits or Throttling