Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: fix NULL dereference in get_queue_ids()

When usr_queue_id_array is NULL and num_queues is non-zero,
get_queue_ids() returns NULL. The callers check only IS_ERR() on the
return value; since IS_ERR(NULL) == false the check passes, and
suspend_queues() calls q_array_invalidate() which immediately
dereferences NULL while iterating num_queues times.

Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying
num_queues > 0 with a zero queue_array_ptr, causing a kernel panic.

A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op
(q_array_invalidate never executes, and resume_queues already guards
all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL)
only when num_queues is non-zero and the pointer is absent; both callers
already propagate IS_ERR() returns correctly to userspace.

(cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a NULL pointer dereference in the kernel's DRM AMDKFD subsystem. When an ioctl requests a debug trap with a non-zero queue count but supplies a NULL array pointer, the kernel's get_queue_ids function returns NULL. The caller incorrectly treats this as a valid pointer, causing a subsequent function to dereference NULL and trigger a kernel panic. The resulting denial of service requires a system reboot to recover, potentially disrupting production workloads.

Affected Systems

All Linux kernel binaries compiled with the AMDKFD driver prior to the commit f165a82cdf503884bb1797771c61b2fcc72113d4 are affected. The vulnerability exists in any kernel version that predates this patch and does not include the defensive fix. The affected CPE identifier is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

Risk and Exploitability

The exploit can be triggered from unprivileged user space by issuing a kfd_ioctl_set_debug_trap ioctl with num_queues greater than zero but a NULL queue_array_ptr. Because the kernel does not validate the pointer in this scenario, a user can directly cause a panic without special privileges. The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than one percent shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploits have been reported, but the impact on availability remains significant.

Generated by OpenCVE AI on June 30, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit f165a82cdf503884bb1797771c61b2fcc72113d4 or later to eliminate the NULL dereference.
  • If the patch is not yet available, disable the AMDKFD debug-trap functionality or restrict the kfd_ioctl_set_debug_trap ioctl to privileged users, for example by compiling the kernel without CONFIG_KFD_DEBUG_TRAP or by enforcing CAP_SYS_ADMIN on the ioctl.
  • As a temporary workaround, modify the kernel source to return ERR_PTR(-EINVAL) when num_queues is non-zero and the queue array pointer is NULL before compiling the kernel.

Generated by OpenCVE AI on June 30, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: fix NULL dereference in get_queue_ids() When usr_queue_id_array is NULL and num_queues is non-zero, get_queue_ids() returns NULL. The callers check only IS_ERR() on the return value; since IS_ERR(NULL) == false the check passes, and suspend_queues() calls q_array_invalidate() which immediately dereferences NULL while iterating num_queues times. Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying num_queues > 0 with a zero queue_array_ptr, causing a kernel panic. A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op (q_array_invalidate never executes, and resume_queues already guards all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL) only when num_queues is non-zero and the pointer is absent; both callers already propagate IS_ERR() returns correctly to userspace. (cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)
Title drm/amdkfd: fix NULL dereference in get_queue_ids()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:31.569Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53144

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53144 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T01:30:05Z

Weaknesses