CVE-2026-53143

HIGH

drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 The v11 MQD manager incorrectly assigned the CP-compute variants of checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow. During CRIU checkpoint of an SDMA queue on Navi3x: - checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer, leaking 1536 bytes of adjacent GTT memory to userspace During CRIU restore: - restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer, corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs) This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants. Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly handle the smaller v11_sdma_mqd structure, matching the pattern used in other MQD managers. (cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)

Scores

CVSS v3 7.8
EPSS 0.0014
EPSS Percentile 3.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-131 CWE-787
Status published
Products (18)
linux/Kernel 5.19.0 - 6.6.143linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.19.0 - 7.0.13linux
linux/Kernel 6.7.0 - 6.12.94linux
Linux/Linux < 5.19
Linux/Linux 5.19
Linux/Linux 6.12.94 - 6.12.*
Linux/Linux 6.18.36 - 6.18.*
Linux/Linux 6.6.143 - 6.6.*
Linux/Linux 7.0.13 - 7.0.*
... and 8 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026