CVE-2026-45878
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow in AMDKFD Debug Address Watch

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 The address watch clear code receives watch_id as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watch_id. If a very large watch_id is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watch_points array. drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before using it. Also use BIT(watch_id) to test and clear bits safely. This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones. Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448 kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow 'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd, 434 uint32_t watch_id) 435 { 436 int r; 437 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id)) kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if watch_id is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined). 439 return -EINVAL; 440 441 if (!pdd->dev->kfd->shared_resources.enable_mes) { 442 r = debug_lock_and_unmap(pdd->dev->dqm); 443 if (r) 444 return r; 445 } 446 447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false); --> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch( 449 pdd->dev->adev, 450 watch_id); v2: (as per, Jonathan Kim) - Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to match the clear path. - Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45878
EUVD
EUVD-2026-32344
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amd linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's drm/amdkfd component related to debug address watch version 2. The issue arises because the watch_id parameter, which is supposed to be an unsigned 32-bit value, is sometimes treated as a signed integer in helper functions. If a very large watch_id is passed from userspace, it can be interpreted as a negative value, leading to invalid bit shifts and potential access outside the bounds of the watch_points array.

This improper bounds checking can cause a buffer overflow when the watch_id exceeds the maximum allowed value (MAX_WATCH_ADDRESSES). The vulnerability was fixed by adding proper validation to ensure watch_id is within valid limits before use and by safely testing and clearing bits using BIT(watch_id).

Impact Analysis

If exploited, this vulnerability can lead to a buffer overflow in the kernel memory space. This may cause undefined behavior such as memory corruption, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Since the flaw involves improper bounds checking on a user-supplied value, a malicious user or process could trigger this condition to compromise system stability or security.

Mitigation Strategies

The vulnerability is fixed by adding proper bounds checking for the watch_id parameter in the Linux kernel's drm/amdkfd driver.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this issue, which ensures that watch_id values are validated against MAX_WATCH_ADDRESSES before use.

This prevents buffer overflow and undefined behavior caused by invalid watch_id values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45878. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart