CVE-2026-23034
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-31

Last updated on: 2026-02-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference. Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers This is visible during driver unload as: BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free(). This makes sure the fence reference is released and the slab cache is empty when the module exits. v2: Update to only release userq->last_fence with dma_fence_put() (Christian) (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-31
Last Modified
2026-02-03
Generated
2026-05-07
AI Q&A
2026-01-31
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23034
EUVD
EUVD-2026-5060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amdgpu linux_kernel to 2.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a reference leak in the Linux kernel's AMD GPU user mode queue (userq) driver. Specifically, the userq keeps a pointer to the most recent fence object (last_fence) which holds an extra reference. When the queue is destroyed, the driver frees related resources but fails to release this last_fence reference. As a result, the fence object remains allocated even after the driver unloads, causing memory objects to persist in the slab cache and triggering errors during module unload.


How can this vulnerability impact me? :

This vulnerability can cause memory leaks in the AMD GPU driver by leaving fence objects allocated after the driver unloads. This can lead to resource exhaustion or instability in the system, especially during driver unload or module removal operations. It may also trigger kernel errors related to slab cache objects remaining allocated.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing error messages during the unloading of the amdgpu driver module. Specifically, look for kernel log messages indicating a fence reference leak such as: BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects You can check the kernel logs using the command: dmesg | grep amdgpu_userq_fence Additionally, monitoring for errors during module unload can be done with: sudo rmmod amdgpu and then checking dmesg for the above messages.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to update the Linux kernel to a version that includes the fix for this vulnerability. The fix ensures that the last_fence reference is properly released during the amdgpu user mode queue teardown, preventing the fence reference leak. Until the update is applied, avoid unloading the amdgpu driver module to prevent the leak from occurring.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart