CVE-2026-45947
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
In amdgpu_acpi_enumerate_xcc(), if amdgpu_acpi_dev_init() returns -ENOMEM, the function returns directly without releasing the allocated xcc_info, resulting in a memory leak.
Fix this by ensuring that xcc_info is properly freed in the error paths.
Compile tested only. Issue found using a prototype static analysis tool and code review.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in amdgpu_acpi_enumerate_xcc() in the Linux kernel enables local resource exhaustion.
Vulnerability
In the Linux kernel, a memory leak exists in the amdgpu_acpi_enumerate_xcc() function within the drm/amdgpu driver. When amdgpu_acpi_dev_init() returns -ENOMEM, the function returns directly without freeing the previously allocated xcc_info buffer, causing the memory to leak. The issue affects stable kernel versions as indicated by the patch commit [1].
Exploitation
An attacker with local access to the system can trigger the vulnerability by causing memory allocation failures (e.g., by exhausting system memory) that lead amdgpu_acpi_dev_init() to return -ENOMEM. The vulnerable code path is reachable without special privileges, but requires the AMDGPU driver to be loaded and the system to have appropriate ACPI support.
Impact
Successful exploitation results in a kernel memory leak, which can lead to resource exhaustion and denial-of-service (DoS) conditions. The system may become unstable or unresponsive due to depleted kernel memory. No privilege escalation or data disclosure is possible.
Mitigation
The fix is available in the kernel stable commit 7e4b612fe7a960d610c20260c9ee220bddd1b215 [1]. Upgrading to a kernel version containing this commit resolves the vulnerability. No workaround or KEV listing is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10c9be63d56578drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index c126d1bf2bc836..02d5abf9df2bae 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1186,8 +1186,10 @@ int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index c126d1bf2bc836..02d5abf9df2bae 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1186,8 +1186,10 @@ int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
7e4b612fe7a9drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index d31460a9e95829..7c9d8a6d0bfdb9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1135,8 +1135,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index d31460a9e95829..7c9d8a6d0bfdb9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1135,8 +1135,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
e87c73a80a12drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 8b2f2b921d9de3..7730e56444934f 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1128,8 +1128,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, bdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 8b2f2b921d9de3..7730e56444934f 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1128,8 +1128,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, bdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
18a7bbd11f17drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index bebfbc1497d8e0..d4848041817562 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1132,8 +1132,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index bebfbc1497d8e0..d4848041817562 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1132,8 +1132,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
d1370ef2ecf7drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 6c62e27b980023..67db986eda3f64 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1136,8 +1136,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 6c62e27b980023..67db986eda3f64 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1136,8 +1136,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
d1370ef2ecf7drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 6c62e27b980023..67db986eda3f64 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1136,8 +1136,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 6c62e27b980023..67db986eda3f64 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1136,8 +1136,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
e87c73a80a12drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 8b2f2b921d9de3..7730e56444934f 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1128,8 +1128,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, bdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index 8b2f2b921d9de3..7730e56444934f 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1128,8 +1128,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, bdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
18a7bbd11f17drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index bebfbc1497d8e0..d4848041817562 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1132,8 +1132,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index bebfbc1497d8e0..d4848041817562 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1132,8 +1132,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
7e4b612fe7a9drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index d31460a9e95829..7c9d8a6d0bfdb9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1135,8 +1135,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index d31460a9e95829..7c9d8a6d0bfdb9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1135,8 +1135,10 @@ static int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
c9be63d56578drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
2 files changed · +6 −4
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index c126d1bf2bc836..02d5abf9df2bae 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1186,8 +1186,10 @@ int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c+3 −2 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c index c126d1bf2bc836..02d5abf9df2bae 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -1186,8 +1186,10 @@ int amdgpu_acpi_enumerate_xcc(void) if (!dev_info) ret = amdgpu_acpi_dev_init(&dev_info, xcc_info, sbdf); - if (ret == -ENOMEM) + if (ret == -ENOMEM) { + kfree(xcc_info); return ret; + } if (!dev_info) { kfree(xcc_info); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing kfree(xcc_info) before early return on -ENOMEM from amdgpu_acpi_dev_init() causes a memory leak."
Attack vector
An attacker would need to trigger an out-of-memory condition during ACPI device initialization so that amdgpu_acpi_dev_init() returns -ENOMEM. This occurs in the amdgpu_acpi_enumerate_xcc() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c [patch_id=2661095]. The function allocates xcc_info via kzalloc earlier in the same function, and when the -ENOMEM path is taken the pointer is lost without being freed. No special privileges or network access are required; the bug is reachable during normal kernel module initialization on AMD GPU hardware.
Affected code
The vulnerable function is `amdgpu_acpi_enumerate_xcc()` in `drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c` [patch_id=2661095]. The error path at the `if (ret == -ENOMEM)` check (around line 1132-1136 depending on the kernel version) returned without freeing the previously allocated `xcc_info` pointer.
What the fix does
The patch wraps the existing `if (ret == -ENOMEM) return ret;` block with braces and adds `kfree(xcc_info);` before the return [patch_id=2661095]. This ensures that the memory allocated for xcc_info is released when amdgpu_acpi_dev_init() fails with -ENOMEM, matching the existing cleanup pattern already used in the subsequent `if (!dev_info)` error path. The fix is identical across all backport variants (e.g. [patch_id=2661090], [patch_id=2661092]).
Preconditions
- configThe kernel must be built with CONFIG_DRM_AMDGPU and run on AMD GPU hardware that triggers ACPI XCC enumeration.
- inputThe system must experience an out-of-memory condition such that amdgpu_acpi_dev_init() returns -ENOMEM.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/18a7bbd11f17a7cd4c42fd5955d3675d68c692dfnvd
- git.kernel.org/stable/c/7e4b612fe7a960d610c20260c9ee220bddd1b215nvd
- git.kernel.org/stable/c/c9be63d565789b56ca7b0197e2cb78a3671f95a8nvd
- git.kernel.org/stable/c/d1370ef2ecf7d4df25e3e1e430cd191b1e7f8596nvd
- git.kernel.org/stable/c/e87c73a80a12d337cf5f493c0956f6c2c9eafd80nvd
News mentions
0No linked articles in our index yet.