CVE-2026-53139
Received Received - Intake
Linux Kernel Compute Shader Dispatch Zero Workgroup Handling

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Skip CSD when it has zeroed workgroups A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2 registers. Kicking off a dispatch with a zero count in any of the three dimensions is invalid. First, the hardware will process 0 as 65536, while the user-space driver exposes a maximum of 65535. Over that, a submission with a zeroed workgroup dimension should be a no-op. These zeroed counts can reach the dispatch path through an indirect CSD job, whose workgroup counts are only known once the indirect buffer is read and may legitimately be zero, but such scenario should only result in a no-op. Overwrite the indirect CSD job workgroup counts with the indirect BO ones, even if they are zeroed, and don't submit the job to the hardware when any of the workgroup counts is zero, so the job completes immediately instead of running the shader.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53139
EUVD
EUVD-2026-39344
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's drm/v3d component related to compute shader dispatch (CSD). When a compute shader dispatch is initiated, it encodes workgroup counts in three registers (CFG0..CFG2). If any of these counts is zero, it is invalid because the hardware interprets zero as 65536, while the user-space driver limits the maximum to 65535.

The issue arises when zeroed workgroup counts reach the dispatch path through an indirect CSD job, where the counts are only known after reading an indirect buffer and can legitimately be zero. Instead of being treated as a no-op, these zeroed counts could cause incorrect hardware processing.

The fix involves overwriting the indirect CSD job workgroup counts with those from the indirect buffer object, even if zeroed, and preventing the job from being submitted to hardware when any workgroup count is zero. This causes the job to complete immediately without running the shader.

Impact Analysis

If exploited or triggered, this vulnerability could cause the hardware to process invalid workgroup counts, potentially leading to unexpected behavior or resource misuse in the GPU compute shader dispatch.

Since zero counts are interpreted as very large values (65536), this could cause the hardware to perform unintended operations or consume excessive resources, possibly leading to system instability or denial of service conditions.

Mitigation Strategies

The vulnerability is resolved by skipping the submission of compute shader dispatch (CSD) jobs when any of the workgroup counts is zero, preventing invalid dispatches.

To mitigate this vulnerability immediately, ensure your Linux kernel is updated to a version that includes this fix, which prevents zeroed workgroup counts from being submitted to the hardware.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53139. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart