CVE-2026-23163
Unknown Unknown - Not Provided
NULL Pointer Dereference in Linux amdgpu Driver Causes Kernel Crash

Publication date: 2026-02-14

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and ih2 interrupt ring buffers are not initialized. This is by design, as these secondary IH rings are only available on discrete GPUs. See vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when AMD_IS_APU is set. However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to get the timestamp of the last interrupt entry. When retry faults are enabled on APUs (noretry=0), this function is called from the SVM page fault recovery path, resulting in a NULL pointer dereference when amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[]. The crash manifests as: BUG: kernel NULL pointer dereference, address: 0000000000000004 RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu] Call Trace: amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu] svm_range_restore_pages+0xae5/0x11c0 [amdgpu] amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu] gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu] amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu] amdgpu_ih_process+0x84/0x100 [amdgpu] This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1") which changed the default for Renoir APU from noretry=1 to noretry=0, enabling retry fault handling and thus exercising the buggy code path. Fix this by adding a check for ih1.ring_size before attempting to use it. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu: Rework retry fault removal"). This is needed if the hardware doesn't support secondary HW IH rings. v2: additional updates (Alex) (cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23163
EUVD
EUVD-2026-5876
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.7 (inc) to 6.12.69 (exc)
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.9 (exc)
linux linux_kernel From 6.4 (inc) to 6.6.123 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's AMD GPU driver (amdgpu) specifically affecting APUs like Raven and Renoir. The issue arises because certain interrupt ring buffers (ih1 and ih2) are not initialized on these APUs by design, as these secondary rings are only available on discrete GPUs.

However, a function called amdgpu_gmc_filter_faults_remove() uses the ih1 ring buffer without checking if it is initialized, leading to a NULL pointer dereference when retry faults are enabled (noretry=0). This causes the kernel to crash with a NULL pointer dereference error.

The root cause is that the function attempts to access ih1 unconditionally, but on APUs ih1 is not set up, resulting in a crash during page fault recovery.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference when running on affected AMD APUs with retry fault handling enabled. This results in system instability and potential denial of service as the kernel encounters a fatal error.

Such crashes can interrupt normal system operation, potentially causing data loss or requiring a system reboot.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel NULL pointer dereference crash related to the amdgpu driver on affected APUs. Detection can be done by monitoring kernel logs for specific crash messages.

  • Check kernel logs for the following error message indicating the NULL pointer dereference crash: "BUG: kernel NULL pointer dereference, address: 0000000000000004".
  • Look for call traces involving amdgpu_ih_decode_iv_ts_helper, amdgpu_gmc_filter_faults_remove, and svm_range_restore_pages in dmesg or /var/log/kern.log.
  • Use the command: dmesg | grep -i 'amdgpu_ih_decode_iv_ts_helper' to find relevant crash traces.
  • Monitor for system crashes or kernel oops related to amdgpu when retry faults are enabled (noretry=0).

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, the primary step is to apply the patch that adds a check for ih1.ring_size before its usage and restores soft_ih support for hardware that does not support secondary interrupt rings.

If patching immediately is not possible, consider disabling retry fault handling by setting the kernel parameter noretry=1 for affected APUs such as Raven and Renoir, which prevents the vulnerable code path from being exercised.

  • Update the Linux kernel to a version that includes the fix (cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526).
  • Set the kernel boot parameter noretry=1 to disable retry fault handling temporarily.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart