CVE-2026-46276
Received Received - Intake
Kernel Crash in AMDGPU Driver Due to Zero-Size GDS Range

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix zero-size GDS range init on RDNA4 RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory resources. The gfx_v12_0 initialisation code correctly leaves adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at zero to reflect this. amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for each of these resources regardless of size. When the size is zero, amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(), which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT. Guard against this by returning 0 early from amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM resource manager registration for hardware resources that are absent, without affecting any other GPU type. DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in the kernel config. This is apparently rarely enabled as these chips have been in the market for over a year and this issue was only reported now. Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html (cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46276
EUVD
EUVD-2026-35141
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amdgpu linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's amdgpu driver for RDNA4 (GFX 12) hardware. The hardware removes certain on-chip memory resources (GDS, GWS, OA), so their sizes are set to zero. However, the driver code calls a function to initialize these resources regardless of their size. When the size is zero, this leads to a call that triggers a kernel assertion failure (DRM_MM_BUG_ON) and crashes the kernel during the module loading process (modprobe) for the amdgpu driver on RX 9070 XT GPUs.

The issue is fixed by adding a check to return early from the initialization function when the resource size is zero, preventing the erroneous call and avoiding the kernel crash.

Impact Analysis

This vulnerability can cause the Linux kernel to crash when loading the amdgpu driver for certain RDNA4 GPUs, specifically the RX 9070 XT. This results in a denial of service as the system becomes unstable or unusable during the driver initialization process.

Detection Guidance

This vulnerability manifests as a kernel crash during the modprobe of the amdgpu driver on affected hardware (RX 9070 XT). Detection involves observing kernel oops or crash logs related to drm_mm_init() failures.

Since the crash is triggered when CONFIG_DRM_DEBUG_MM is enabled, checking if this kernel configuration option is active can help identify if the system is vulnerable to this issue.

You can check kernel logs for relevant errors using commands like:

  • dmesg | grep drm_mm_init
  • journalctl -k | grep amdgpu
  • modprobe amdgpu

Monitoring for kernel oops or crashes during amdgpu module loading is key to detecting this vulnerability.

Mitigation Strategies

The vulnerability is fixed by a patch that prevents initialization of zero-size GDS ranges on RDNA4 hardware by returning early from amdgpu_ttm_init_on_chip() when the size is zero.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating is not immediately possible, avoid loading the amdgpu driver on affected RDNA4 hardware to prevent kernel crashes.
  • Ensure that CONFIG_DRM_DEBUG_MM is disabled in the kernel configuration to avoid triggering the DRM_MM_BUG_ON assertion.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart