CVE-2026-53143 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

The v11 MQD manager incorrectly assigned the CP-compute variants of
checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions
use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct
v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.

During CRIU checkpoint of an SDMA queue on Navi3x:
- checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,
leaking 1536 bytes of adjacent GTT memory to userspace

During CRIU restore:
- restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,
corrupting 1536 bytes of adjacent GTT memory (often the ring buffer
or neighboring MQDs)

This is a copy-paste regression unique to v11. All other ASIC backends
(cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.

Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly
handle the smaller v11_sdma_mqd structure, matching the pattern used in
other MQD managers.

(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An incorrect SDMA queue checkpoint/restore implementation in the amdkfd driver on GFX11 kernels caused a 1536‑byte buffer overflow because functions used the larger compute_mqd size instead of the 512‑byte sdma_mqd size. The overflow allows an attacker to read 1536 bytes of adjacent GTT memory during a CRIU checkpoint, leaking kernel data to userspace, and to write 1536 bytes during a CRIU restore, corrupting neighboring GTT memory such as the ring buffer or other MQDs. The resulting write or read can compromise the confidentiality, integrity, and availability of kernel state, enabling local privilege escalation or denial of service.

Affected Systems

All Linux kernels that contain the amdkfd driver for GFX11 (Navi3x) hardware are affected. The vulnerability exists prior to the kernel patch that fixes the SDMA checkpoint/restore logic; any distribution using an older unsupported kernel version that includes the unpatched amdkfd driver is at risk.

Risk and Exploitability

The flaw is a classic buffer overflow (CWE-122/CWE-787) that can be triggered by a local process that initiates a CRIU checkpoint or restore of an SDMA queue. No EPSS score is available, but the severity is high due to kernel memory corruption. The vulnerability is not listed in the CISA KEV catalog, yet its local attack vector combined with kernel privilege escalation potential makes it a critical issue for systems that expose amdkfd or use CRIU with SDMA queues.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< 16dad1fb0d783a4008de30e32d0038c393de05b1
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< 2c5b66c9b4057b385566940935ebc32f6e6ebfd2
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< d02f05d30f35b036f7cbaf72de634affb5b38ec6
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< 352ea59028ea48a6fff77f19ae28f98f71946a80

Linux

affected

Version	Status	Constraints
`5.19`	affected	—
`0`	unaffected	< 5.19
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that patches the amdkfd driver to use the correct sdma_mqd structure for checkpoint/restore on GFX11.
If an update cannot be applied immediately, disable CRIU checkpoint/restore functionality for SDMA queues or consider disabling KFD services on hosts that do not require GPU acceleration.
As a temporary measure, avoid running CRIU on systems with GFX11 GPUs until the kernel patch is in place.

Generated by OpenCVE AI on June 25, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/16dad1fb0d783a4008de30e32d0038c393de05b1
https://git.kernel.org/stable/c/2c5b66c9b4057b385566940935ebc32f6e6ebfd2
https://git.kernel.org/stable/c/352ea59028ea48a6fff77f19ae28f98f71946a80
https://git.kernel.org/stable/c/d02f05d30f35b036f7cbaf72de634affb5b38ec6
https://git.kernel.org/stable/c/d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64

History

Thu, 25 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122 CWE-787

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 The v11 MQD manager incorrectly assigned the CP-compute variants of checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow. During CRIU checkpoint of an SDMA queue on Navi3x: - checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer, leaking 1536 bytes of adjacent GTT memory to userspace During CRIU restore: - restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer, corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs) This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants. Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly handle the smaller v11_sdma_mqd structure, matching the pattern used in other MQD managers. (cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)
Title		drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/16dad1fb0d783a4008de30e32d0038c393de05b1 https://git.kernel.org/stable/c/2c5b66c9b4057b385566940935ebc32f6e6ebfd2 https://git.kernel.org/stable/c/352ea59028ea48a6fff77f19ae28f98f71946a80 https://git.kernel.org/stable/c/d02f05d30f35b036f7cbaf72de634affb5b38ec6 https://git.kernel.org/stable/c/d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:30.901Z

Updated: 2026-06-25T08:38:30.901Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53143

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T10:30:17Z

Weaknesses

CWE-122
Heap-based Buffer Overflow
CWE-787
Out-of-bounds Write

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object