CVE-2026-23338 Overview
A vulnerability has been identified in the Linux kernel's AMD GPU (drm/amdgpu) userq subsystem that allows userspace to trivially trigger kernel warnings. The issue exists in the userq wait ioctl where userspace can either deliberately pass in a num_fences value that is too small, or the required number of fences can legitimately grow between two calls to the userq wait ioctl. In both scenarios, the kernel would emit warning backtraces via WARN_ON macros, even though no actual kernel fault has occurred.
The fix removes the unnecessary WARN_ON calls since the kernel is functioning correctly in these cases - userspace simply receives an errno return value indicating the issue. This vulnerability demonstrates a kernel information disclosure vector where userspace applications could generate excessive kernel log noise and potentially expose kernel memory layout information through backtrace dumps.
Critical Impact
Userspace applications can deliberately trigger kernel warnings and backtraces in the AMDGPU userq subsystem, potentially leading to denial of service through log flooding or information disclosure via kernel backtraces.
Affected Products
- Linux kernel with AMDGPU driver enabled
- Systems using AMD GPU hardware with userq functionality
- Linux distributions running affected kernel versions with DRM subsystem
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23338 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23338
Vulnerability Analysis
This vulnerability exists within the Direct Rendering Manager (DRM) subsystem of the Linux kernel, specifically in the AMD GPU driver's userqueue (userq) implementation. The userq feature provides a mechanism for userspace applications to interact with GPU fence synchronization primitives through ioctl system calls.
The root issue lies in the handling of the num_fences parameter during userq wait ioctl operations. When userspace provides a num_fences value that is smaller than what is actually required, or when the fence count changes between consecutive ioctl calls, the kernel would trigger WARN_ON assertions. While these assertions don't indicate an actual kernel malfunction, they generate full kernel backtraces that can be observed in system logs.
The vulnerability enables a local attacker with access to the GPU device to repeatedly trigger these warnings, potentially flooding system logs and exposing kernel address space layout through the backtrace output. This is particularly relevant in environments where kernel address space layout randomization (KASLR) is employed as a security measure.
Root Cause
The root cause is the improper use of WARN_ON macros for handling expected userspace behavior. The kernel code was treating valid but edge-case userspace input as exceptional conditions worthy of kernel warnings, when in reality these scenarios are expected possibilities that should be handled gracefully with simple errno returns. The WARN_ON macros should be reserved for detecting genuine kernel bugs rather than userspace input validation failures.
Attack Vector
The attack vector is local and requires an unprivileged user with access to the AMDGPU device node (typically /dev/dri/renderD* or /dev/dri/card*). An attacker can exploit this vulnerability by:
- Opening the AMDGPU device
- Issuing userq wait ioctl calls with intentionally small num_fences values
- Alternatively, manipulating timing to cause fence count changes between ioctl calls
- Observing kernel warnings generated in system logs containing backtrace information
The vulnerability is exploited through standard ioctl system calls to the DRM subsystem. The attacker crafts ioctl parameters with undersized num_fences values to trigger the WARN_ON conditions in the kernel's userq handling code. Each triggered warning generates a full kernel backtrace, which can reveal kernel memory addresses and potentially defeat KASLR protections.
Detection Methods for CVE-2026-23338
Indicators of Compromise
- Excessive kernel warnings containing drm/amdgpu/userq in system logs (/var/log/kern.log, dmesg)
- Unusual volume of DRM ioctl calls from non-graphics applications
- Kernel backtraces referencing amdgpu_userq or related fence handling functions
- System log flooding with WARNING stack traces from the DRM subsystem
Detection Strategies
- Monitor system logs for repeated WARN_ON triggers from the AMDGPU userq subsystem
- Implement rate limiting alerts for kernel warning messages originating from DRM components
- Use auditd to track ioctl calls to GPU device nodes from unexpected processes
- Deploy log analysis rules to detect patterns of fence-related warnings in kernel logs
Monitoring Recommendations
- Enable enhanced kernel logging for the DRM subsystem to capture detailed ioctl activity
- Configure SIEM rules to alert on abnormal rates of kernel WARNING messages
- Monitor process access patterns to /dev/dri/* device nodes for unauthorized access
- Implement kernel log aggregation with anomaly detection for backtrace patterns
How to Mitigate CVE-2026-23338
Immediate Actions Required
- Apply the latest kernel patches containing the fix (commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)
- Restrict access to GPU device nodes to only trusted users and applications
- Review system logs for evidence of exploitation attempts
- Consider temporarily disabling userq functionality if not required
Patch Information
The vulnerability has been resolved by removing the unnecessary WARN_ON calls from the userq wait ioctl handler. The fix ensures that userspace input validation failures are handled gracefully with appropriate errno returns rather than generating kernel warnings.
The following kernel commits contain the fix:
Update to a kernel version that includes these patches. For stable kernel branches, verify that the cherry-picked commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c is included.
Workarounds
- Restrict /dev/dri/* device permissions to limit access to trusted users only
- Use cgroups or seccomp filters to prevent untrusted applications from making DRM ioctls
- Implement rate limiting on kernel log writes to mitigate log flooding attacks
- Deploy mandatory access control policies (SELinux/AppArmor) to restrict GPU device access
# Configuration example
# Restrict GPU device access to trusted groups only
chmod 660 /dev/dri/renderD*
chown root:render /dev/dri/renderD*
# Add trusted users to the render group
usermod -aG render trusted_user
# Monitor for exploitation attempts in kernel logs
dmesg -w | grep -i "amdgpu.*userq\|WARN"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
