CVE-2026-46237 Overview
CVE-2026-46237 is a vulnerability in the Linux kernel affecting the AMD GPU (amdgpu) Video Core Next 3 (VCN3) driver. The flaw exists in the message bound check logic of the drm/amdgpu/vcn3 subsystem, where the previous bound-check condition is susceptible to an integer overflow. The issue was identified through Static Defect Localization (SDL) review and resolved by introducing a safer bound check. The fix was cherry-picked from upstream commit db00257ac9e4a51eb2515aaea161a019f7125e10.
Critical Impact
An integer overflow in the VCN3 message bound check could allow the kernel to accept malformed messages that bypass length validation, potentially leading to memory corruption in the GPU driver path.
Affected Products
- Linux kernel — drm/amdgpu driver, VCN3 component
- Systems using AMD GPUs with VCN3 video encode/decode hardware
- Stable kernel branches receiving the cherry-picked backport
Discovery Timeline
- 2026-05-28 - CVE-2026-46237 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46237
Vulnerability Analysis
The vulnerability resides in the message validation logic of the AMD GPU VCN3 (Video Core Next, generation 3) driver inside the Direct Rendering Manager (DRM) subsystem. The VCN3 hardware block handles video encode and decode operations and processes message buffers submitted by user space through the kernel command stream. Before dispatching a message to firmware, the driver verifies that the message stays within an expected bound. The prior implementation performed this check using arithmetic that can wrap around when operand values are sufficiently large.
When an integer overflow occurs in a bound check, the comparison produces a result that incorrectly indicates the buffer is within range. An attacker controlling the offset or size fields of a submitted VCN message could craft values that overflow the addition used in the check, allowing the driver to proceed with out-of-bounds memory access on the GPU message buffer. The resolved code adjusts the comparison to evaluate operands in a form that cannot overflow.
Root Cause
The root cause is an unchecked arithmetic operation in the VCN3 message bound check ([CWE-190] Integer Overflow). Adding a user-influenced offset to a size before comparison can produce a wrapped value smaller than the limit, defeating validation.
Attack Vector
Exploitation requires local access to submit GPU command streams to the amdgpu driver through DRM ioctls. A user with permission to open the render node can craft a VCN message with offset and size fields that trigger the overflow condition. No code example is published; consult the upstream commits for the exact diff.
// No verified exploit code is available for CVE-2026-46237.
// Refer to the upstream kernel commits for the corrected
// bound check implementation in drm/amdgpu/vcn_v3_0.c.
Detection Methods for CVE-2026-46237
Indicators of Compromise
- Unexpected amdgpu kernel ring timeouts or GPU resets logged in dmesg correlated with VCN workloads
- Kernel oops or page fault entries referencing vcn_v3_0 or amdgpu_vcn functions
- Userspace processes repeatedly submitting malformed VCN command streams to /dev/dri/renderD*
Detection Strategies
- Audit kernel package versions against vendor advisories listing the cherry-picked fix commits referenced in NVD
- Monitor for abnormal use of DRM render nodes by unprivileged processes that do not normally use GPU acceleration
- Correlate GPU driver crash signatures with process telemetry to identify the submitting binary
Monitoring Recommendations
- Forward dmesg and journald kernel logs to a central log platform and alert on amdgpu fault patterns
- Track DRM ioctl call volume per process to surface anomalous submission rates
- Apply file integrity monitoring to kernel modules and confirm running uname -r matches the patched build
How to Mitigate CVE-2026-46237
Immediate Actions Required
- Upgrade the Linux kernel to a stable release that contains the backport from upstream commit db00257ac9e4a51eb2515aaea161a019f7125e10
- Inventory hosts running AMD GPUs with VCN3 hardware and prioritize multi-tenant or workstation systems where untrusted local users exist
- Restrict access to /dev/dri/renderD* to trusted users and groups where GPU acceleration is not broadly required
Patch Information
The fix is available in the stable kernel tree across the following commits: 016b64a0313e, 1936310f68c5, 2e43b66fceac, e6e9faba8100, and e8124121b79a. Apply distribution kernel updates that incorporate these commits.
Workarounds
- Disable VCN-dependent workloads (hardware video encode/decode) on affected systems until patched
- Tighten permissions on DRM render nodes so only trusted service accounts can submit GPU commands
- Where feasible, blacklist the amdgpu module on systems that do not require AMD GPU functionality
# Verify running kernel and restrict DRM render node access
uname -r
ls -l /dev/dri/renderD*
sudo chgrp render /dev/dri/renderD128
sudo chmod 0660 /dev/dri/renderD128
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
