CVE-2026-53325 Overview
CVE-2026-53325 is a NULL pointer dereference vulnerability in the Linux kernel's AMD64 Advanced Graphics Port (AGP) driver. The flaw resides in agp_amd64_probe(), which performs an incorrect error check against the return value of cache_nbs(). When executed in virtualized environments without a physical AMD northbridge, the driver proceeds with initialization despite hardware absence. This leads to a General Protection Fault (GPF) when amd64_fetch_size() dereferences the NULL pointer returned by node_to_amd_nb(0). The issue has been resolved in stable kernel branches.
Critical Impact
Local triggering of a kernel General Protection Fault causing a denial-of-service condition on affected Linux systems running in virtualized environments without an AMD northbridge.
Affected Products
- Linux kernel (upstream) — AGP AMD64 driver (agp/amd64)
- Linux distributions shipping vulnerable stable kernel branches prior to the referenced fix commits
- Virtualized guests (e.g., QEMU/KVM) loading the amd64-agp driver without exposed AMD northbridge hardware
Discovery Timeline
- 2026-06-29 - CVE-2026-53325 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-53325
Vulnerability Analysis
The vulnerability originates in the AMD64 AGP driver's probe routine. When the driver initializes, it calls cache_nbs() to enumerate AMD northbridge devices. On systems where no AMD northbridges exist, cache_nbs() correctly returns -ENODEV to indicate the hardware absence.
The defect lies in how agp_amd64_probe() interprets this return value. The probe function compares the result against exactly -1 rather than testing for any negative value. Because -ENODEV does not equal -1, the error condition is silently masked, and the driver proceeds through its initialization path.
Driver initialization eventually calls agp_add_bridge(), which in turn invokes amd64_fetch_size(). That function calls node_to_amd_nb(0) to retrieve a pointer to the northbridge structure. With no hardware present, this call returns NULL, and the subsequent access to the ->misc member triggers a General Protection Fault in kernel context.
Root Cause
The root cause is broken error propagation caused by an incorrect equality check. The probe function used == -1 semantics instead of < 0 when validating the return code from cache_nbs(). This narrow comparison suppresses all negative error codes other than -EPERM-equivalent values, allowing execution to continue past a fatal precondition failure.
Attack Vector
Exploitation requires the vulnerable driver to load on a system lacking an AMD northbridge, most commonly a virtualized guest under QEMU/KVM. A local user or automated boot process that triggers module loading of amd64-agp can cause the kernel oops. The impact is a denial of service through kernel crash rather than code execution or privilege escalation.
The vulnerability is described in prose only. See the upstream fix at Kernel Git Commit 0aa9b27 for the corrected error check.
Detection Methods for CVE-2026-53325
Indicators of Compromise
- Kernel log entries referencing a General Protection Fault with a call trace including amd64_fetch_size, agp_add_bridge, and agp_amd64_probe.
- Unexpected system panics or oops events shortly after amd64-agp module load on virtualized Linux guests.
- Repeated boot-time crashes on QEMU/KVM guests that do not expose AMD northbridge PCI devices.
Detection Strategies
- Inventory running kernel versions across Linux fleets and compare against the fixed stable branches referenced in the upstream commits.
- Monitor dmesg and journalctl -k output for GPF signatures involving the AGP AMD64 code path.
- Audit module load lists (lsmod) on virtualized hosts to identify guests loading amd64-agp unnecessarily.
Monitoring Recommendations
- Centralize kernel crash telemetry (kdump, kernel.panic traces) to a log aggregation platform for pattern analysis.
- Alert on any GPF stack trace containing the strings agp_amd64_probe or amd64_fetch_size.
- Track kernel package update compliance in configuration management to confirm distribution of the patched build.
How to Mitigate CVE-2026-53325
Immediate Actions Required
- Update the Linux kernel to a version containing the upstream fix commits referenced in the advisory.
- On virtualized guests that do not require AGP support, blacklist the amd64-agp module to prevent probe execution.
- Coordinate with distribution vendors to obtain backported patches for long-term support kernels.
Patch Information
The fix corrects the error check in agp_amd64_probe() so that any negative return value from cache_nbs() aborts initialization. Patched commits are available at Kernel Git Commit 0aa9b27, Kernel Git Commit 53483a9, Kernel Git Commit b08472d, and Kernel Git Commit cefe535.
Workarounds
- Add amd64-agp to the module blacklist on virtualized systems that do not require AGP functionality.
- Boot with modprobe.blacklist=amd64-agp on the kernel command line to prevent automatic loading.
- Remove or disable AGP-related userspace utilities that may trigger driver initialization on affected hosts.
# Configuration example: blacklist the vulnerable driver on virtualized guests
echo 'blacklist amd64-agp' | sudo tee /etc/modprobe.d/blacklist-amd64-agp.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

