CVE-2026-46229
Analyzed Analyzed - Analysis Complete
Memory Corruption in AMDGPU KFD VRAM Allocation

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels. The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers. This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46229
EUVD
EUVD-2026-32856
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.32 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.90 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.9 (exc)
linux linux_kernel From 5.4 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's drm/amdkfd component where VRAM (Video RAM) allocations were not properly cleared before use. Specifically, while KFD VRAM allocations set the flag AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE, they did not set AMDGPU_GEM_CREATE_VRAM_CLEARED. As a result, freshly allocated VRAM could contain stale data from previous uses, which could be observed by compute kernels.

The GEM ioctl path correctly sets the VRAM_CLEARED flag for all userspace allocations, but the KFD path was missing this, allowing stale page table remnants to leak into user buffers. This flaw could cause crashes in RCCL P2P transport due to corruption in protocol handshake fields caused by non-zero stale data.

Impact Analysis

The vulnerability can lead to exposure of stale data in VRAM to compute kernels, which means sensitive or residual data from previous operations might be accessible unintentionally.

Additionally, it can cause crashes in RCCL P2P transport because stale non-zero data corrupts the protocol handshake, potentially leading to instability or denial of service in systems relying on this transport.

Mitigation Strategies

The vulnerability has been resolved by clearing VRAM on allocation to prevent stale data exposure in the Linux kernel's drm/amdkfd component.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix where the KFD VRAM allocations set the AMDGPU_GEM_CREATE_VRAM_CLEARED flag properly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart