{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43237", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.995Z", "datePublished": "2026-05-06T11:28:32.300Z", "dateUpdated": "2026-05-06T11:28:32.300Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-06T11:28:32.300Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4\n\nThis commit simplifies the amdgpu_gem_va_ioctl function, key updates\ninclude:\n - Moved the logic for managing the last update fence directly into\n amdgpu_gem_va_update_vm.\n - Introduced checks for the timeline point to enable conditional\n replacement or addition of fences.\n\nv2: Addressed review comments from Christian.\nv3: Updated comments (Christian).\nv4: The previous version selected the fence too early and did not manage its\n reference correctly, which could lead to stale or freed fences being used.\n This resulted in refcount underflows and could crash when updating GPU\n timelines.\n The fence is now chosen only after the VA mapping work is completed, and its\n reference is taken safely. After exporting it to the VM timeline syncobj, the\n driver always drops its local fence reference, ensuring balanced refcounting\n and avoiding use-after-free on dma_fence.\n\n\tCrash signature:\n\t[ 205.828135] refcount_t: underflow; use-after-free.\n\t[ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\t...\n\t[ 206.074014] Call Trace:\n\t[ 206.076488] <TASK>\n\t[ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu]\n\t[ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm]\n\t[ 206.094415] drm_ioctl+0x26e/0x520 [drm]\n\t[ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu]\n\t[ 206.109387] __x64_sys_ioctl+0x96/0xe0\n\t[ 206.113156] do_syscall_64+0x66/0x2d0\n\t...\n\t[ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90\n\t...\n\t[ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.553405] Call Trace:\n\t[ 206.553409] <IRQ>\n\t[ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched]\n\t[ 206.553424] dma_fence_signal+0x30/0x60\n\t[ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched]\n\t[ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0\n\t[ 206.553437] dma_fence_signal+0x30/0x60\n\t[ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu]\n\t[ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu]\n\t[ 206.554353] edac_mce_amd(E) ee1004(E)\n\t[ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu]\n\t[ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu]\n\t[ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu]\n\t[ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0\n\t[ 206.555506] handle_irq_event+0x38/0x80\n\t[ 206.555509] handle_edge_irq+0x92/0x1e0\n\t[ 206.555513] __common_interrupt+0x3e/0xb0\n\t[ 206.555519] common_interrupt+0x80/0xa0\n\t[ 206.555525] </IRQ>\n\t[ 206.555527] <TASK>\n\t...\n\t[ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e9e477d3197f7d8955a042c0d7f53f78f13218ba", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "0399b8416ecf64ef86ad23401fe23eabdb07831a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "bd8150a1b3370a9f7761c5814202a3fe5a79f44f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c"], "versions": [{"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba"}, {"url": "https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a"}, {"url": "https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f"}], "title": "drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4\n\nThis commit simplifies the amdgpu_gem_va_ioctl function, key updates\ninclude:\n - Moved the logic for managing the last update fence directly into\n amdgpu_gem_va_update_vm.\n - Introduced checks for the timeline point to enable conditional\n replacement or addition of fences.\n\nv2: Addressed review comments from Christian.\nv3: Updated comments (Christian).\nv4: The previous version selected the fence too early and did not manage its\n reference correctly, which could lead to stale or freed fences being used.\n This resulted in refcount underflows and could crash when updating GPU\n timelines.\n The fence is now chosen only after the VA mapping work is completed, and its\n reference is taken safely. After exporting it to the VM timeline syncobj, the\n driver always drops its local fence reference, ensuring balanced refcounting\n and avoiding use-after-free on dma_fence.\n\n\tCrash signature:\n\t[ 205.828135] refcount_t: underflow; use-after-free.\n\t[ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\t...\n\t[ 206.074014] Call Trace:\n\t[ 206.076488] <TASK>\n\t[ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu]\n\t[ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm]\n\t[ 206.094415] drm_ioctl+0x26e/0x520 [drm]\n\t[ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu]\n\t[ 206.109387] __x64_sys_ioctl+0x96/0xe0\n\t[ 206.113156] do_syscall_64+0x66/0x2d0\n\t...\n\t[ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90\n\t...\n\t[ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.553405] Call Trace:\n\t[ 206.553409] <IRQ>\n\t[ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched]\n\t[ 206.553424] dma_fence_signal+0x30/0x60\n\t[ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched]\n\t[ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0\n\t[ 206.553437] dma_fence_signal+0x30/0x60\n\t[ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu]\n\t[ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu]\n\t[ 206.554353] edac_mce_amd(E) ee1004(E)\n\t[ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu]\n\t[ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu]\n\t[ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu]\n\t[ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0\n\t[ 206.555506] handle_irq_event+0x38/0x80\n\t[ 206.555509] handle_edge_irq+0x92/0x1e0\n\t[ 206.555513] __common_interrupt+0x3e/0xb0\n\t[ 206.555519] common_interrupt+0x80/0xa0\n\t[ 206.555525] </IRQ>\n\t[ 206.555527] <TASK>\n\t...\n\t[ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt"}], "id": "CVE-2026-43237", "lastModified": "2026-05-06T13:07:51.607", "metrics": {}, "published": "2026-05-06T12:16:43.960", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4", "id": "2467202", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467202"}, "csaw": false, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's AMD GPU (amdgpu) driver. Incorrect management of graphics memory (dma_fence) references within the `amdgpu_gem_va_ioctl` function can lead to a reference count underflow and a use-after-after-free condition. A local attacker could exploit this vulnerability to trigger a kernel panic, causing the system to crash and resulting in a denial of service."], "name": "CVE-2026-43237", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43237\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43237\nhttps://lore.kernel.org/linux-cve-announce/2026050658-CVE-2026-43237-b6c1@gregkh/T"]}