Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53347

CVE-2026-53347: Linux Kernel virtio-gpu DOS Vulnerability

CVE-2026-53347 is a denial of service vulnerability in the Linux kernel virtio-gpu driver that causes kernel crashes during driver removal with disabled KMS. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53347 Overview

CVE-2026-53347 is a Linux kernel vulnerability in the drm/virtio (virtio-gpu) driver. The flaw causes access to uninitialized memory when the driver is removed or unbound while built with Kernel Mode Setting (KMS) disabled. Because DRM atomic and modesetting subsystems are never initialized in that configuration, tearing down the atomic core during driver removal dereferences uninitialized data and crashes the kernel. The upstream fix skips shutting down the atomic core when KMS is unavailable.

Critical Impact

Local kernel crash (denial of service) triggered when the virtio-gpu driver is unbound or removed on kernels built without KMS support.

Affected Products

  • Linux kernel builds including the drm/virtio (virtio-gpu) driver with KMS disabled
  • Virtualized guests using virtio-gpu without modesetting enabled
  • Stable kernel branches referenced by the upstream fix commits

Discovery Timeline

  • 2026-07-01 - CVE-2026-53347 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-53347

Vulnerability Analysis

The vulnerability resides in the virtio-gpu Direct Rendering Manager (DRM) driver's teardown path. When the kernel is compiled with KMS disabled, the driver skips initialization of DRM atomic and modesetting state. However, the driver removal path unconditionally invokes atomic-core shutdown routines. These routines dereference structures that were never populated, resulting in access to uninitialized memory and a kernel crash. This is a classic use-of-uninitialized-resource defect [CWE-908-class] surfacing during driver unbind or module removal.

Root Cause

The removal path lacked a guard checking whether KMS was actually initialized. The fix adds a conditional that skips shutting down the atomic core when KMS is unavailable, preventing the driver from touching structures that were never set up during probe.

Attack Vector

Triggering the flaw requires local privileges sufficient to unbind or unload the virtio-gpu driver. An attacker or misconfigured automation with such privileges can force a guest kernel panic, producing a denial-of-service condition. The issue is not remotely exploitable and does not appear to grant code execution or privilege escalation. The EPSS score is 0.156%, reflecting low probability of exploitation in the wild.

No verified public exploit or proof-of-concept code is available. See the upstream commits for the exact patch semantics: 15e561869a8b, 19a6a00ff50c, 38a5f891cda6, ed3e134700a2, and f329e8325e05.

Detection Methods for CVE-2026-53347

Indicators of Compromise

  • Kernel oops or panic traces referencing virtio_gpu, drm_atomic_helper_shutdown, or DRM teardown functions during driver unbind or module removal.
  • Unexpected guest reboots correlated with rmmod virtio_gpu or hotplug-driven driver removal events.
  • dmesg entries showing NULL or garbage pointer dereferences originating from the virtio-gpu removal path.

Detection Strategies

  • Inventory guest kernels and identify builds where CONFIG_DRM_VIRTIO_GPU_KMS (or equivalent modesetting option) is disabled while virtio-gpu remains enabled.
  • Audit configuration management to flag hosts running unpatched stable kernels lacking the referenced fix commits.
  • Correlate crash telemetry from virtual machines against driver-unbind actions in orchestration logs.

Monitoring Recommendations

  • Forward guest dmesg and kdump output to a centralized log store and alert on panics in DRM subsystems.
  • Monitor virtualization control planes for unusual rmmod, modprobe -r, or unbind operations targeting virtio_gpu.
  • Track kernel version drift across your virtualized fleet to ensure patched builds are deployed.

How to Mitigate CVE-2026-53347

Immediate Actions Required

  • Apply the upstream stable kernel updates that include the virtio-gpu removal fix commits referenced in the NVD entry.
  • Restrict privileges required to unbind or remove kernel drivers to trusted administrators only.
  • Avoid unbinding or unloading virtio_gpu on unpatched kernels built without KMS.

Patch Information

The fix is available in upstream Linux stable branches through commits 15e561869a8b, 19a6a00ff50c, 38a5f891cda6, ed3e134700a2, and f329e8325e05. Rebuild affected kernels or upgrade to distribution packages that include these commits.

Workarounds

  • Build the kernel with KMS enabled for virtio-gpu so the atomic core is fully initialized during probe.
  • Blacklist the virtio_gpu module on guests that do not require it, eliminating the unbind path entirely.
  • Prevent runtime driver removal by restricting CAP_SYS_MODULE and disabling manual unbind operations through sysfs where feasible.
bash
# Blacklist virtio_gpu on guests that do not need it
echo 'blacklist virtio_gpu' | sudo tee /etc/modprobe.d/blacklist-virtio-gpu.conf
sudo update-initramfs -u

# Verify installed kernel version after patching
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.