CVE-2026-23163: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23163 Overview

A NULL pointer dereference vulnerability has been identified in the Linux kernel's AMD GPU (amdgpu) driver, specifically within the amdgpu_gmc_filter_faults_remove() function. This vulnerability affects AMD APUs including Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0) and can lead to a kernel crash when retry faults are enabled.

The vulnerability occurs because the ih1 and ih2 interrupt ring buffers are not initialized on APUs by design, as these secondary IH rings are only available on discrete GPUs. However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to get the timestamp of the last interrupt entry, resulting in a NULL pointer dereference when amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[].

Critical Impact
Systems running affected AMD APUs with retry fault handling enabled (noretry=0) may experience kernel crashes and system instability, leading to denial of service conditions.

Affected Products

Linux kernel with amdgpu driver on AMD Raven APU (GC 9.1.0)
Linux kernel with amdgpu driver on AMD Renoir APU (GC 9.2.2, 9.3.0)
Systems with retry fault handling enabled (noretry=0)

Discovery Timeline

2026-02-14 - CVE CVE-2026-23163 published to NVD
2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-23163

Vulnerability Analysis

This Null Pointer Dereference vulnerability exists in the AMD GPU driver's fault filtering mechanism. The issue stems from an architectural assumption that was violated when retry fault handling was enabled on APU platforms.

On discrete GPUs, the ih1 and ih2 secondary interrupt handler rings are properly initialized and available. However, on APUs like Raven and Renoir, the vega10_ih_sw_init() function explicitly skips initialization of these secondary IH rings when AMD_IS_APU is set. This is intentional behavior, as these secondary rings serve no purpose on integrated graphics hardware.

The problematic code path is triggered when amdgpu_gmc_filter_faults_remove() is called from the SVM (Shared Virtual Memory) page fault recovery path. This function unconditionally attempts to use ih1 to retrieve the timestamp of the last interrupt entry through amdgpu_ih_decode_iv_ts_helper(), which dereferences the uninitialized ring pointer.

This issue was exposed by commit 1446226d32a4 which changed the default for Renoir APU from noretry=1 to noretry=0, enabling retry fault handling and exercising the buggy code path that had previously remained dormant.

Root Cause

The root cause is a missing NULL pointer check before accessing the ih1 interrupt ring buffer in amdgpu_gmc_filter_faults_remove(). The code assumes that secondary IH rings are always available, but this assumption is invalid for APU configurations where ih1.ring_size is zero and the ring is not allocated.

The fix adds a proper check for ih1.ring_size before attempting to use the ring, and restores soft IH support from commit dd299441654f for hardware that doesn't support secondary hardware IH rings.

Attack Vector

The vulnerability is triggered through the following kernel call path when retry faults are enabled on affected APUs:

A page fault occurs that requires SVM recovery
gmc_v9_0_process_interrupt() handles the GPU interrupt
amdgpu_vm_handle_fault() initiates fault recovery
svm_range_restore_pages() processes the page fault
amdgpu_gmc_filter_faults_remove() is called to clean up fault tracking
amdgpu_ih_decode_iv_ts_helper() dereferences the NULL ih->ring[] pointer
Kernel crash occurs with a NULL pointer dereference at address 0x0000000000000004

The crash manifests with the following call trace:

BUG: kernel NULL pointer dereference, address: 0000000000000004
RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]
Call Trace:
  amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]
  svm_range_restore_pages+0xae5/0x11c0 [amdgpu]
  amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]
  gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]
  amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]
  amdgpu_ih_process+0x84/0x100 [amdgpu]

Detection Methods for CVE-2026-23163

Indicators of Compromise

Kernel crash logs showing NULL pointer dereference at amdgpu_ih_decode_iv_ts_helper+0x22/0x40
System logs containing BUG: kernel NULL pointer dereference with amdgpu module in the call trace
Unexpected system reboots on AMD Raven or Renoir APU systems under GPU workloads
Kernel panic events correlating with SVM (Shared Virtual Memory) operations

Detection Strategies

Monitor kernel logs for NULL pointer dereference errors involving the amdgpu driver module
Implement automated log analysis for crash signatures matching the amdgpu_gmc_filter_faults_remove call path
Track system stability metrics on AMD APU systems, particularly those running GC 9.x hardware
Use crash analysis tools to identify recurring patterns in kernel dumps related to GPU interrupt handling

Monitoring Recommendations

Deploy kernel crash monitoring solutions such as kdump or systemd-coredump to capture crash dumps
Configure alerting for kernel oops and panic events involving amdgpu driver components
Monitor system uptime and stability metrics on systems with AMD Raven and Renoir APUs
Implement centralized log aggregation to correlate GPU-related crashes across fleet deployments

How to Mitigate CVE-2026-23163

Immediate Actions Required

Update the Linux kernel to a version containing the fix (commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
As a temporary workaround, set noretry=1 module parameter for amdgpu to disable retry fault handling
Review system logs for evidence of prior crashes related to this vulnerability
Prioritize patching on systems running AMD Raven or Renoir APUs with GPU-intensive workloads

Patch Information

The vulnerability has been resolved in the Linux kernel through multiple stable branch commits. The fix adds a check for ih1.ring_size before attempting to use the ring buffer and restores soft IH support for hardware that doesn't support secondary hardware IH rings.

Patch commits are available at:

Workarounds

Disable retry fault handling by loading the amdgpu module with noretry=1 parameter
Add amdgpu.noretry=1 to kernel boot parameters in GRUB configuration
Consider disabling SVM functionality if not required for workload operations
Monitor for kernel updates from your distribution and apply patches as they become available

bash

# Configuration example
# Temporary workaround: Disable retry fault handling on AMD APUs
# Add to /etc/modprobe.d/amdgpu.conf
options amdgpu noretry=1

# Or add to kernel boot parameters in /etc/default/grub
# GRUB_CMDLINE_LINUX="amdgpu.noretry=1"
# Then run: sudo update-grub

CVE-2026-23163 Overview

Critical Impact
Systems running affected AMD APUs with retry fault handling enabled (noretry=0) may experience kernel crashes and system instability, leading to denial of service conditions.

Affected Products

Linux kernel with amdgpu driver on AMD Raven APU (GC 9.1.0)
Linux kernel with amdgpu driver on AMD Renoir APU (GC 9.2.2, 9.3.0)
Systems with retry fault handling enabled (noretry=0)

Discovery Timeline

2026-02-14 - CVE CVE-2026-23163 published to NVD
2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-23163

Vulnerability Analysis

Root Cause

The fix adds a proper check for ih1.ring_size before attempting to use the ring, and restores soft IH support from commit dd299441654f for hardware that doesn't support secondary hardware IH rings.

Attack Vector

The vulnerability is triggered through the following kernel call path when retry faults are enabled on affected APUs:

A page fault occurs that requires SVM recovery
gmc_v9_0_process_interrupt() handles the GPU interrupt
amdgpu_vm_handle_fault() initiates fault recovery
svm_range_restore_pages() processes the page fault
amdgpu_gmc_filter_faults_remove() is called to clean up fault tracking
amdgpu_ih_decode_iv_ts_helper() dereferences the NULL ih->ring[] pointer
Kernel crash occurs with a NULL pointer dereference at address 0x0000000000000004

The crash manifests with the following call trace:

BUG: kernel NULL pointer dereference, address: 0000000000000004
RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]
Call Trace:
  amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]
  svm_range_restore_pages+0xae5/0x11c0 [amdgpu]
  amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]
  gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]
  amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]
  amdgpu_ih_process+0x84/0x100 [amdgpu]

Detection Methods for CVE-2026-23163

Indicators of Compromise

Kernel crash logs showing NULL pointer dereference at amdgpu_ih_decode_iv_ts_helper+0x22/0x40
System logs containing BUG: kernel NULL pointer dereference with amdgpu module in the call trace
Unexpected system reboots on AMD Raven or Renoir APU systems under GPU workloads
Kernel panic events correlating with SVM (Shared Virtual Memory) operations

Detection Strategies

Monitor kernel logs for NULL pointer dereference errors involving the amdgpu driver module
Implement automated log analysis for crash signatures matching the amdgpu_gmc_filter_faults_remove call path
Track system stability metrics on AMD APU systems, particularly those running GC 9.x hardware
Use crash analysis tools to identify recurring patterns in kernel dumps related to GPU interrupt handling

Monitoring Recommendations

Deploy kernel crash monitoring solutions such as kdump or systemd-coredump to capture crash dumps
Configure alerting for kernel oops and panic events involving amdgpu driver components
Monitor system uptime and stability metrics on systems with AMD Raven and Renoir APUs
Implement centralized log aggregation to correlate GPU-related crashes across fleet deployments

How to Mitigate CVE-2026-23163

Immediate Actions Required

Update the Linux kernel to a version containing the fix (commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
As a temporary workaround, set noretry=1 module parameter for amdgpu to disable retry fault handling
Review system logs for evidence of prior crashes related to this vulnerability
Prioritize patching on systems running AMD Raven or Renoir APUs with GPU-intensive workloads

Patch Information

Patch commits are available at:

Workarounds

Disable retry fault handling by loading the amdgpu module with noretry=1 parameter
Add amdgpu.noretry=1 to kernel boot parameters in GRUB configuration
Consider disabling SVM functionality if not required for workload operations
Monitor for kernel updates from your distribution and apply patches as they become available

bash

# Configuration example
# Temporary workaround: Disable retry fault handling on AMD APUs
# Add to /etc/modprobe.d/amdgpu.conf
options amdgpu noretry=1

# Or add to kernel boot parameters in /etc/default/grub
# GRUB_CMDLINE_LINUX="amdgpu.noretry=1"
# Then run: sudo update-grub

CVE-2026-23163: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23163 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23163

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23163

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23163

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-23163: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23163 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23163

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23163

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23163

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform