CVE-2026-52987
Received Received - Intake
Double Free in AMDGPU Linux Kernel Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drm_exec_fini() in userq validate When new_addition is true, amdgpu_userq_vm_validate() calls drm_exec_fini(&exec) before iterating over the collected HMM ranges and calling amdgpu_ttm_tt_get_user_pages(). If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to unlock_all and calls drm_exec_fini(&exec) a second time on the same exec object. drm_exec_fini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context. Route that error path directly to the range cleanup once exec has already been finalized. Issue found using a prototype static analysis tool and confirmed by code review. (cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52987
EUVD
EUVD-2026-38855
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel to 2802952e4a07306da6ebe813ff1acacc5691851a (inc)
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The impact of this vulnerability is related to improper resource management in the Linux kernel's amdgpu driver. Calling drm_exec_fini() twice on the same object can cause the kernel to free resources multiple times, potentially leading to system instability, crashes, or denial of service. This could affect the reliability and stability of systems using the affected Linux kernel with the amdgpu driver.

Executive Summary

This vulnerability exists in the Linux kernel's amdgpu driver, specifically in the drm/amdgpu component. The issue arises because the function drm_exec_fini() is called twice on the same exec object during error handling in amdgpu_userq_vm_validate(). The first call happens when new_addition is true, and drm_exec_fini() is called before iterating over HMM ranges. If amdgpu_ttm_tt_get_user_pages() fails, the code jumps to an error path that calls drm_exec_fini() a second time on the same exec object. Since drm_exec_fini() is not idempotent and frees resources, calling it twice can lead to improper resource handling or potential crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52987. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart