Zero Day MonitorZDM

← Back to list

7.1

CVE-2026-31766PATCHED

amd · amdgpu

drm/amdgpu: validate doorbell_offset in user queue creation

Description

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate doorbell_offset in user queue creation amdgpu_userq_get_doorbell_index() passes the user-provided doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds checking. An arbitrarily large doorbell_offset can cause the calculated doorbell index to fall outside the allocated doorbell BO, potentially corrupting kernel doorbell space. Validate that doorbell_offset falls within the doorbell BO before computing the BAR index, using u64 arithmetic to prevent overflow. (cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)

Affected Products

Vendor	Product	Versions
amd	amdgpu	f09c1e6077abd1bc2ddd2b97e1135215801ca7f9, f09c1e6077abd1bc2ddd2b97e1135215801ca7f9, f09c1e6077abd1bc2ddd2b97e1135215801ca7f9, 6.16

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
linux	linux	mitre_affected	90%
open source	open source linux kernel	cert_advisory	90%

References

Related News (3 articles)

Tier B

BSI Advisories7d ago

[NEU] [mittel] Linux Kernel: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB10d ago

CVE-2026-31766 | Linux Kernel up to 6.18.21/6.19.11 amdgpu amdgpu_userq_get_doorbell_index allocation of resources

→ No new info (linked only)

Tier C

Linux Kernel CVEs10d ago

CVE-2026-31766: drm/amdgpu: validate doorbell_offset in user queue creation

→ No new info (linked only)

CVSS 3.17.1 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

3543005a42d7e8e12b21897ef6798541bf7cbcd386b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6a018d1819f158991b7308e4f74609c6c029b670c06.18.226.19.127.0

PublishedMay 1, 2026

Last enriched10d agov2

Trending Score17

Source articles3

Independent3

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-43318EXP

drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify

CRITICALCVE-2026-43337EXP

drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()

CRITICALCVE-2026-43444EXP

drm/amdkfd: Unreserve bo if queue update failed

NONECVE-2025-71294EXP

drm/amdgpu: fix NULL pointer issue buffer funcs

NONECVE-2026-31628

x86/CPU: Fix FPDSS on Zen1

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 1, 2026

Discovered by ZDM

May 1, 2026

Updated: affectedVersions

May 1, 2026

Patch Available

May 3, 2026

Version History

v2

Last enriched 10d ago

v2Tier C10d ago

Updated description with new details, changed severity to CRITICAL, and added affected versions 6.18.21 and 6.19.11.

affectedVersions

via VulDB

v110d ago

Initial creation