CVE-2026-52965
Received Received - Intake
Infinite LRU Walk in Linux Kernel TTM

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52965
EUVD
EUVD-2026-38833
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically in the ttm (Translation Table Maps) component. When the function ttm_tt_swapout() fails, the current code attempts to restore the resource's bulk_move membership by calling ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail(). However, ttm_resource_move_to_lru_tail() places the resource at the tail of the Least Recently Used (LRU) list in a way that causes the list traversal to revisit the same resource repeatedly, resulting in an infinite loop.

The root cause is that the resource is placed in front of the hitch node used during the list walk, causing the traversal to never progress past that resource. The fix involves deferring the removal of the resource from the bulk_move list to only occur on the success path of the swapout operation, and introducing a new function to correctly remove the resource even if it is unevictable.

Impact Analysis

This vulnerability can cause an infinite loop during the handling of memory resources in the Linux kernel's DRM subsystem. An infinite loop in kernel code can lead to system hangs or crashes, potentially causing denial of service (DoS) conditions. This can affect system stability and availability, especially on systems relying on the affected kernel component for graphics or memory management.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52965. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart