CVE-2026-43169
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/buddy: Prevent BUG_ON by validating rounded allocation
When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order).
Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G - 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G
Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback.
This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON.
v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel DRM buddy allocator BUG_ON due to size rounding exceeding mm->size allows local denial of service.
Description
The DRM buddy memory allocator in the Linux kernel has a vulnerability where certain allocation requests can trigger a BUG_ON. When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power of two via roundup_pow_of_two(). For non-contiguous allocations with a large min_block_size, the size is aligned via round_up(). If the rounded size exceeds mm->size, the condition order > mm->max_order in the allocator causes a BUG_ON, leading to a kernel panic.
Exploitation
The vulnerability is exploitable by any user or process that can submit DRM allocation requests, for example, through the Direct Rendering Manager interface. Attackers can craft allocation sizes that, after rounding, exceed the available memory size. For instance, a 9 GB contiguous allocation on a system with 10 GB VRAM results in a rounded size of 16 GB, which surpasses the total VRAM. No special privileges are required beyond access to the DRM device, making this a local denial-of-service vector.
Impact
Successful exploitation causes the kernel to hit a BUG_ON, resulting in a system crash or hang. This effectively denies service to legitimate users and can disrupt system availability. The vulnerability does not lead to privilege escalation or information disclosure; the primary impact is a denial of service (system crash) [1][2][3][4].
Mitigation
The fix introduces a validation step that checks the rounded allocation size against mm->size before proceeding. If the rounded size exceeds the available memory, the request returns an error (-EINVAL) or falls back to an alternate path for contiguous allocations without range restrictions. This change prevents the BUG_ON from being triggered by invalid user input. Patches have been committed to the Linux kernel stable tree and are available in commits referenced [1][2][3][4]. Users should apply the latest kernel updates to mitigate this issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.