CVE-2026-43169
Awaiting Analysis Awaiting Analysis - Queue
DRM Buddy Memory Allocation Bypass

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Prevent BUG_ON by validating rounded allocation When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order). Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G - 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback. This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON. v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43169
EUVD
EUVD-2026-27732
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's DRM (Direct Rendering Manager) buddy allocator. When certain allocation flags are set, the requested memory size is rounded up to the next power-of-two or aligned up to a block size. This rounding can cause the requested size to exceed the total available memory size (mm->size), which later triggers a kernel BUG_ON error, causing a crash.

The issue occurs because the code does not properly validate the rounded size against the available memory size before proceeding. For example, requesting 9GB on a 10GB VRAM with rounding can result in a 16GB allocation attempt, which is invalid.

The fix involves adding checks to ensure the rounded size does not exceed the available memory size. If it does, the allocation returns an error immediately instead of causing a kernel crash.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to a BUG_ON triggered by invalid memory allocation requests. Such crashes can lead to system instability, denial of service, or unexpected reboots.

If exploited or triggered by malformed input or software, it could disrupt services running on the affected system, potentially causing downtime or data loss.


What immediate steps should I take to mitigate this vulnerability?

This vulnerability has been resolved in the Linux kernel by adding validation to prevent invalid allocation sizes that trigger BUG_ON conditions.

Immediate mitigation steps include updating your Linux kernel to a version that contains the fix for this issue.

  • Ensure that the kernel version you are running includes the patch that validates rounded allocation sizes against the memory manager's size.
  • Avoid using configurations or workloads that request large contiguous or non-contiguous allocations that exceed available VRAM or memory size until the fix is applied.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart