CVE-2026-23034 Overview
A memory leak vulnerability has been identified in the Linux kernel's AMD GPU driver (drm/amdgpu/userq). The vulnerability exists in the user mode queue teardown process where a fence reference is not properly released when the queue is destroyed. This results in the amdgpu_userq_fence slab cache retaining allocated objects after driver unload, triggering kernel warnings and potentially leading to memory exhaustion over time.
Critical Impact
Memory leak in AMD GPU driver can cause system instability and kernel warnings during driver unload, with potential for memory exhaustion in long-running systems.
Affected Products
- Linux kernel with AMD GPU driver (drm/amdgpu module)
- Systems utilizing AMD graphics hardware with user mode queue functionality
- Kernel versions prior to the fix commit 8e051e38a8d45caf6a866d4ff842105b577953bb
Discovery Timeline
- 2026-01-31 - CVE CVE-2026-23034 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23034
Vulnerability Analysis
This vulnerability is a memory leak caused by improper resource management in the AMD GPU kernel driver. The user mode queue implementation maintains a pointer (userq->last_fence) to track the most recent fence object, which holds an extra dma_fence reference. During queue teardown, the fence driver and its xarray are properly freed, but the code fails to release the last_fence reference via dma_fence_put().
The consequence is that the last fence object remains allocated in the amdgpu_userq_fence slab cache even after the driver unloads. This manifests as visible kernel errors during module unload, specifically BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() and kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects.
Root Cause
The root cause is a missing dma_fence_put() call during the amdgpu_userq_fence_driver_free() function. When user mode queues are destroyed, the cleanup routine properly frees most resources but neglects to decrement the reference count on userq->last_fence. Since DMA fences use reference counting for memory management, failing to release this reference prevents the fence object from being deallocated, resulting in a memory leak.
Attack Vector
While this vulnerability does not have a direct remote attack vector, it represents a local denial of service risk. An attacker with local access could potentially trigger repeated driver load/unload cycles or create and destroy multiple user mode queues to accelerate memory exhaustion. The vulnerability primarily affects system stability and reliability rather than providing a pathway for privilege escalation or code execution.
The fix involves adding dma_fence_put(userq->last_fence) and clearing the pointer during the fence driver free routine, ensuring proper reference counting and clean slab cache shutdown.
Detection Methods for CVE-2026-23034
Indicators of Compromise
- Kernel log messages containing BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()
- Warning messages about kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects
- Call traces in kernel logs referencing kmem_cache_destroy, amdgpu_userq_fence_slab_fini, and amdgpu_exit
- Gradual memory consumption increase in systems with AMD GPU drivers
Detection Strategies
- Monitor kernel logs (dmesg) for AMD GPU driver slab cache warnings during module unload
- Track slab cache statistics via /proc/slabinfo for amdgpu_userq_fence entries that persist after driver unload
- Implement automated log parsing for kernel BUG messages related to amdgpu memory management
Monitoring Recommendations
- Configure system logging to alert on kernel slab cache destruction failures
- Establish baseline memory usage patterns for systems running AMD GPU workloads
- Monitor for unusual patterns of driver load/unload operations
- Use kernel memory debugging tools such as kmemleak to identify persistent allocations
How to Mitigate CVE-2026-23034
Immediate Actions Required
- Update the Linux kernel to a version containing the fix commit
- Minimize driver load/unload cycles until patched
- Monitor system memory usage on affected systems
- Review kernel logs for evidence of exploitation or impact
Patch Information
The vulnerability has been resolved in the Linux kernel. The fix adds a dma_fence_put() call for userq->last_fence and clears the pointer during amdgpu_userq_fence_driver_free(). The patch was cherry-picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb.
Kernel maintainers have published the fix through the stable kernel trees:
Workarounds
- Avoid unloading the amdgpu kernel module on production systems until patched
- Reboot systems periodically to reclaim leaked memory if patching is delayed
- Disable user mode queue functionality if not required for your workload (requires kernel configuration changes)
- Consider using kernel live patching solutions for critical production environments
# Check current kernel version and amdgpu module status
uname -r
lsmod | grep amdgpu
# Monitor slab cache for potential memory leaks
cat /proc/slabinfo | grep amdgpu_userq_fence
# Check kernel logs for related warnings
dmesg | grep -i "amdgpu_userq_fence"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
