VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46217

CVE-2026-46217

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/vcn4: Avoid overflow on msg bound check

As pointed out by SDL, the previous condition may be vulnerable to overflow.

(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vulnerability in Linux kernel drm/amdgpu/vcn4 driver could cause integer overflow in message bound check, leading to potential memory corruption.

Vulnerability

An integer overflow vulnerability exists in the message bound check of the drm/amdgpu/vcn4 driver in the Linux kernel. The previous condition for verifying message bounds was susceptible to arithmetic overflow, which could cause an incorrect bound comparison. This flaw affects the code path used by the AMDGPU driver for video codec (VCN) hardware on certain AMD GPUs. The vulnerability is present in kernel versions prior to the inclusion of commit 3c5367d95014.

Exploitation

Exploitation requires a local attacker with the ability to send crafted commands to the VCN hardware via the AMDGPU device interface. The attacker must be able to trigger a sequence that passes an oversized or specially crafted message parameter, causing the bound check to overflow and bypass the intended limits. No user interaction or special privileges beyond local access to the /dev/dri device may be necessary if the system is unprivileged, but typical scenarios require the attacker to have access to the DRM subsystem.

Impact

Successful exploitation could allow an attacker to bypass memory boundary checks, potentially leading to out-of-bounds memory writes. This could result in memory corruption, system instability, or privilege escalation. The exact impact depends on the kernel configuration and hardware revision, but arbitrary code execution in kernel context is theoretically possible.

Mitigation

The fix is included in Linux kernel commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885 and was backported to stable kernels as of the referenced commit 30d12ee310a6 [1]. Users should update to a kernel version containing this patch. No workaround is available beyond applying the patch. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of publication.

References
  1. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

10
30d12ee310a6

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin ChengApr 13, 2026Fixed in 7.0.9via kernel-cna
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 5dec92691f73ee..63d37b475c2c33 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
5bb5faff4837

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin ChengApr 13, 2026Fixed in 6.6.140via kernel-cna
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 71804c11582c60..d35bc5d01b448c 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1731,6 +1731,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1738,7 +1739,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
271cd5429513

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin ChengApr 13, 2026Fixed in 6.18.32via kernel-cna
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 64f294fb1c7a06..64bda0e944a7cc 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1888,6 +1888,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1895,7 +1896,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
65bce27ea619

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin ChengApr 13, 2026Fixed in 7.1-rc2via kernel-cna
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index bbdd017cbafb61..ff7269bafae8ef 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
73043d296787

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin ChengApr 13, 2026Fixed in 6.12.90via kernel-cna
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index b36a952174ac4d..2f8d07a7b60ba8 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1830,6 +1830,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1837,7 +1838,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
30d12ee310a6

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin ChengApr 13, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 5dec92691f73ee..63d37b475c2c33 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
271cd5429513

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin ChengApr 13, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 64f294fb1c7a06..64bda0e944a7cc 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1888,6 +1888,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1895,7 +1896,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
5bb5faff4837

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin ChengApr 13, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 71804c11582c60..d35bc5d01b448c 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1731,6 +1731,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1738,7 +1739,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
65bce27ea619

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin ChengApr 13, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index bbdd017cbafb61..ff7269bafae8ef 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1889,6 +1889,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1896,7 +1897,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg
73043d296787

drm/amdgpu/vcn4: Avoid overflow on msg bound check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin ChengApr 13, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c+3 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index b36a952174ac4d..2f8d07a7b60ba8 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1830,6 +1830,7 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 
 	for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
 		uint32_t offset, size, *create;
+		uint64_t buf_end;
 
 		if (msg[0] != RDECODE_MESSAGE_CREATE)
 			continue;
@@ -1837,7 +1838,8 @@ static int vcn_v4_0_dec_msg(struct amdgpu_cs_parser *p, struct amdgpu_job *job,
 		offset = msg[1];
 		size = msg[2];
 
-		if (size < 4 || offset + size > end - addr) {
+		if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+		    buf_end > end - addr) {
 			DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
 			r = -EINVAL;
 			goto out;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Integer overflow in the bounds check of `vcn_v4_0_dec_msg` when adding attacker-controlled 32-bit offset and size values."

Attack vector

An attacker who can submit a crafted VCN decode message to the AMDGPU kernel driver can supply values for `offset` and `size` (both `uint32_t`) such that `offset + size` wraps around to a small value, bypassing the original bounds check [patch_id=2897683]. This integer overflow allows the subsequent buffer access to read out-of-bounds relative to the buffer object, potentially leaking sensitive kernel memory or causing a crash.

Affected code

The vulnerability resides in the `vcn_v4_0_dec_msg` function within `drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c` [patch_id=2897683]. The fault is in the bound-check condition `offset + size > end - addr`, where `offset` and `size` are 32-bit unsigned integers read directly from a decode message buffer.

What the fix does

The patch replaces the direct addition `offset + size` with the safe `check_add_overflow(offset, size, &buf_end)` helper, which detects if the 32-bit addition would wrap [patch_id=2897683]. If overflow is detected, the check fails and the function returns `-EINVAL`. The result is stored in a `uint64_t buf_end` variable, ensuring the subsequent comparison `buf_end > end - addr` is performed in 64-bit arithmetic, eliminating the possibility of wrap-around bypass.

Preconditions

  • authAbility to submit a crafted VCN decode message to the amdgpu kernel driver (requires local access to the DRM device, e.g., via /dev/dri/card*).
  • inputThe crafted message must contain offset and size values whose sum overflows a 32-bit unsigned integer.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.