Description
In the Linux kernel, the following vulnerability has been resolved:

agp/amd64: Fix broken error propagation in agp_amd64_probe()

A NULL pointer dereference was observed in the AMD64 AGP driver when
running in a virtualized environment (e.g. qemu/kvm) without a physical
AMD northbridge. The crash occurs in amd64_fetch_size() when attempting
to dereference the pointer returned by node_to_amd_nb(0).

The root cause of this crash is broken error propagation in
agp_amd64_probe(): When no AMD northbridges are found, cache_nbs()
correctly returns -ENODEV. However, the probe function erroneously
checks the return value against exactly -1, rather than < 0.

As a result, the hardware absence error is masked, allowing the driver
to improperly proceed with initialization. It eventually calls
agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware
does not exist, node_to_amd_nb(0) returns NULL, leading to a General
Protection Fault (GPF) when accessing its ->misc member.

Fix the issue by correcting the error check in agp_amd64_probe() to
abort properly when cache_nbs() returns any negative error code. This
prevents the driver from erroneously proceeding without hardware, thereby
avoiding the subsequent NULL pointer dereference at its source.
Published: 2026-06-29
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s AMD64 AGP driver, a missing error check in agp_amd64_probe() causes the function to ignore a negative error from cache_nbs() when no AMD northbridge is present. The probe continues, later calling agp_add_bridge() and amd64_fetch_size(). node_to_amd_nb(0) then returns NULL, and dereferencing its ->misc member triggers a General Protection Fault. The fault crashes the kernel, leading to a denial‑of‑service. The weakness is a NULL pointer dereference (CWE‑476).

Affected Systems

The vulnerability resides in the Linux kernel code that implements the AMD64 AGP driver. All kernel versions prior to the commit that added the proper error check (cited in the advisory) are affected. The issue is most likely to be triggered in virtualized environments such as QEMU/KVM that present an AGP device without an underlying AMD northbridge; when the host kernel loads the driver to support the VM, the bug causes a crash. Any Linux host kernel that exposes an AGP device to a virtual machine is at risk if the kernel has not been updated to include the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity; the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. The bug leads directly to a kernel crash rather than arbitrary code execution, so exploitation requires that the faulting code path be exercised within the kernel. This can be achieved by a malicious virtual machine or by a host configuration that mounts an AGP device lacking a northbridge. The likelihood of exploitation is low but the impact is high, as it results in service interruption of the host system.

Generated by OpenCVE AI on June 29, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that incorporates the commit that corrects the error check in agp_amd64_probe()
  • If a kernel upgrade is not possible, reconfigure the host or virtual machine to omit the AGP device so that agp_amd64_probe() is never invoked
  • As a temporary measure, disable AGP support in the kernel configuration (CONFIG_AGP) if the system does not require it

Generated by OpenCVE AI on June 29, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4688-1 linux security update
Debian DSA Debian DSA DSA-6381-1 linux security update
History

Sat, 04 Jul 2026 12:15:00 +0000


Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Mon, 29 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CWE-703

Mon, 29 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: agp/amd64: Fix broken error propagation in agp_amd64_probe() A NULL pointer dereference was observed in the AMD64 AGP driver when running in a virtualized environment (e.g. qemu/kvm) without a physical AMD northbridge. The crash occurs in amd64_fetch_size() when attempting to dereference the pointer returned by node_to_amd_nb(0). The root cause of this crash is broken error propagation in agp_amd64_probe(): When no AMD northbridges are found, cache_nbs() correctly returns -ENODEV. However, the probe function erroneously checks the return value against exactly -1, rather than < 0. As a result, the hardware absence error is masked, allowing the driver to improperly proceed with initialization. It eventually calls agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware does not exist, node_to_amd_nb(0) returns NULL, leading to a General Protection Fault (GPF) when accessing its ->misc member. Fix the issue by correcting the error check in agp_amd64_probe() to abort properly when cache_nbs() returns any negative error code. This prevents the driver from erroneously proceeding without hardware, thereby avoiding the subsequent NULL pointer dereference at its source.
Title agp/amd64: Fix broken error propagation in agp_amd64_probe()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-04T11:51:03.918Z

Reserved: 2026-06-09T07:44:35.398Z

Link: CVE-2026-53325

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-29T00:00:00Z

Links: CVE-2026-53325 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:30:17Z

Weaknesses