Description
In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups

v3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect
buffer and the workgroup buffer and is expected to release them before
returning. When any of the workgroup counts read from the buffer is zero,
the function bailed out early and skipped the cleanup, leaking the vaddr
mappings of both BOs.

Jump to the cleanup path instead of returning directly, so the mappings
are always dropped.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A kernel function that configures GPU workgroups mistakenly returned early when encountering zero‑count workgroups, leaving virtual address mappings for the indirect and workgroup buffers in memory. The leaked addresses expose internal kernel memory layout, which could assist an attacker in crafting subsequent attacks or revealing confidential data. The vulnerability is limited to kernel internal state and does not allow direct code execution, but it provides attackers with valuable information about the address space.

Affected Systems

All Linux kernel installations that include the V3D DRM driver before the patch commits referenced in the advisory are vulnerable. The specific affected kernel versions are not enumerated in the advisory and must be determined by inspecting the kernel release that contains the unpatched function. Users of recent distributions that ship the V3D driver should verify whether the kernel includes the fixes applied in the commits linked in the advisory.

Risk and Exploitability

The CVSS score of 5.5, while the EPSS score of < 1% indicates a low probability of exploitation, so a quantitative risk assessment remains modest but non‑negligible. The advisory notes that the vulnerability is not listed in the CISA KEV catalog, indicating that no active exploitation is known. However, the information leak could be leveraged by an attacker with sufficient privileges to interact with the DRM subsystem. Existing kernels that allow user space to submit V3D jobs could reach the vulnerable code path, so the risk is functional but likely limited to privileged or compromised users.

Generated by OpenCVE AI on June 26, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch commits cited in the advisory (e.g., the latest stable or security‑patched release from the vendor).
  • If the V3D DRM driver is not required, disable the driver in the kernel configuration or at runtime to eliminate the vulnerable code path.
  • After applying the patch or disabling the driver, run kernel audit or compliance checks to confirm that virtual‑address mappings are properly released and no leaks occur.

Generated by OpenCVE AI on June 26, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups v3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect buffer and the workgroup buffer and is expected to release them before returning. When any of the workgroup counts read from the buffer is zero, the function bailed out early and skipped the cleanup, leaking the vaddr mappings of both BOs. Jump to the cleanup path instead of returning directly, so the mappings are always dropped.
Title drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:28.494Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53140

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53140 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T15:30:02Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime