CVE-2026-46229 Overview
CVE-2026-46229 is an information disclosure vulnerability in the Linux kernel's AMD Kernel Fusion Driver (drm/amdkfd). The Kernel Fusion Driver (KFD) Video RAM (VRAM) allocation path sets AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but fails to set AMDGPU_GEM_CREATE_VRAM_CLEARED. As a result, newly allocated VRAM buffers retain stale data from prior use, which compute kernels can read. The Graphics Execution Manager (GEM) ioctl path already clears VRAM through amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(), but the KFD path was missing this protection. The flaw allows stale page table remnants to leak into userspace buffers and also corrupts the RCCL P2P transport handshake by leaving non-zero values in ptrExchange, head, and tail fields.
Critical Impact
Compute kernels running on AMD GPUs can read residual data from previously freed VRAM regions, including kernel page table remnants, leading to information disclosure across workloads.
Affected Products
- Linux kernel builds that include the drm/amdkfd driver
- Systems using AMD GPUs with the Kernel Fusion Driver for compute workloads
- Multi-tenant or shared GPU environments leveraging RCCL peer-to-peer transport
Discovery Timeline
- 2026-05-28 - CVE-2026-46229 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46229
Vulnerability Analysis
The AMD Kernel Fusion Driver exposes GPU compute capabilities to userspace through a dedicated allocation path separate from the GEM ioctl interface. When KFD allocates VRAM, it requests wipe-on-release semantics via AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but omits AMDGPU_GEM_CREATE_VRAM_CLEARED. Wipe-on-release only zeroes memory when buffers are freed, not when they are allocated. Allocations therefore inherit whatever bytes the underlying VRAM pages last contained, including remnants of prior kernel page tables and other process data. Compute kernels reading these buffers observe residual content that should never cross trust boundaries.
Root Cause
The root cause is a missing buffer object creation flag on the KFD allocation path. The GEM ioctl-based userspace allocators set AMDGPU_GEM_CREATE_VRAM_CLEARED to force the driver to zero VRAM at allocation time. The KFD path constructs amdgpu_bo objects without that flag, so the Translation Table Manager (TTM) skips the clearing step. The result is uninitialized memory exposure [CWE-908] combined with information disclosure across workload boundaries.
Attack Vector
A local user with permission to submit compute work to an AMD GPU through KFD can allocate VRAM buffers and read their contents before writing to them. The buffers may contain stale GPU page table entries, prior tenant data, or fragments of other compute workloads. In RCCL P2P transport scenarios, non-zero residual data in ptrExchange, head, and tail fields corrupts the handshake and produces crashes, which can also serve as a reliability signal during exploitation.
No verified public exploit code is available. The vulnerability mechanism is documented in the upstream commits referenced below. See the Kernel Patch 047d44d and Kernel Patch 1db4313 for the corrective code.
Detection Methods for CVE-2026-46229
Indicators of Compromise
- Unexplained crashes in RCCL P2P transport with corrupted handshake fields (ptrExchange, head, tail)
- Compute workloads observing non-zero initial values in freshly allocated VRAM buffers
- Anomalous data patterns in GPU buffers that match prior workload signatures on shared hosts
Detection Strategies
- Audit running kernel versions across GPU-enabled hosts and compare against patched stable kernel releases referenced in the upstream fix
- Instrument compute applications to checksum freshly allocated VRAM before first write and flag non-zero results
- Review RCCL and HIP application logs for unexpected handshake failures or transport-layer crashes that correlate with the flaw
Monitoring Recommendations
- Track dmesg output for amdgpu and amdkfd warnings on multi-tenant GPU hosts
- Monitor user processes that open /dev/kfd and allocate large VRAM buffers without prior writes
- Centralize kernel version inventory and patch-state telemetry for AI and high-performance compute clusters
How to Mitigate CVE-2026-46229
Immediate Actions Required
- Apply the upstream stable kernel patches that add AMDGPU_GEM_CREATE_VRAM_CLEARED to the KFD allocation path
- Update distribution kernels on all hosts running AMD GPU compute workloads as soon as vendor builds are available
- Restrict access to /dev/kfd to trusted users until patched kernels are deployed
Patch Information
The Linux kernel maintainers committed fixes across multiple stable branches. Reference commits: Kernel Patch 047d44d, Kernel Patch 1db4313, Kernel Patch 32b1536, Kernel Patch 77d0b5d, and Kernel Patch ad52d61. Each patch adds the AMDGPU_GEM_CREATE_VRAM_CLEARED flag to the KFD buffer object creation path.
Workarounds
- Avoid sharing AMD GPU compute hosts across mutually untrusted tenants until the kernel is patched
- Require compute workloads to explicitly zero VRAM buffers immediately after allocation as a defense-in-depth measure
- Disable KFD compute access on hosts that do not require it by restricting permissions on /dev/kfd
# Verify running kernel and check for the fixed amdkfd allocation flag
uname -r
modinfo amdgpu | grep -i version
# Restrict KFD device access to a trusted group until patched
sudo chgrp gpu-compute /dev/kfd
sudo chmod 0660 /dev/kfd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
