CVE-2026-31566 (GCVE-0-2026-31566)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-04-24 14:35
VLAI?
Title
drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence
from amdgpu_ib_schedule(). This fence is used to wait for job
completion.
Currently, the code drops the fence reference using dma_fence_put()
before calling dma_fence_wait().
If dma_fence_put() releases the last reference, the fence may be
freed before dma_fence_wait() is called. This can lead to a
use-after-free.
Fix this by waiting on the fence first and releasing the reference
only after dma_fence_wait() completes.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)
(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9ae55f030dc523fc4dc6069557e4a887ea815453 , < bc7760c107dc08ef3e231d72c492e67b0a86848b
(git)
Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < e23602eb0779760544314ed3905fa6a89a4e4070 (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 138e42be35ff2ce6572ae744de851ea286cf3c69 (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 39820864eacd886f1a6f817414fb8f9ea3e9a2b4 (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 42d248726a0837640452b71c5a202ca3d35239ec (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 7150850146ebfa4ca998f653f264b8df6f7f85be (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc7760c107dc08ef3e231d72c492e67b0a86848b",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "e23602eb0779760544314ed3905fa6a89a4e4070",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "138e42be35ff2ce6572ae744de851ea286cf3c69",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "39820864eacd886f1a6f817414fb8f9ea3e9a2b4",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "42d248726a0837640452b71c5a202ca3d35239ec",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "7150850146ebfa4ca998f653f264b8df6f7f85be",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib\n\namdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence\nfrom amdgpu_ib_schedule(). This fence is used to wait for job\ncompletion.\n\nCurrently, the code drops the fence reference using dma_fence_put()\nbefore calling dma_fence_wait().\n\nIf dma_fence_put() releases the last reference, the fence may be\nfreed before dma_fence_wait() is called. This can lead to a\nuse-after-free.\n\nFix this by waiting on the fence first and releasing the reference\nonly after dma_fence_wait() completes.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory \u0027f\u0027 (line 696)\n\n(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:35:46.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc7760c107dc08ef3e231d72c492e67b0a86848b"
},
{
"url": "https://git.kernel.org/stable/c/e23602eb0779760544314ed3905fa6a89a4e4070"
},
{
"url": "https://git.kernel.org/stable/c/138e42be35ff2ce6572ae744de851ea286cf3c69"
},
{
"url": "https://git.kernel.org/stable/c/39820864eacd886f1a6f817414fb8f9ea3e9a2b4"
},
{
"url": "https://git.kernel.org/stable/c/42d248726a0837640452b71c5a202ca3d35239ec"
},
{
"url": "https://git.kernel.org/stable/c/7150850146ebfa4ca998f653f264b8df6f7f85be"
}
],
"title": "drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31566",
"datePublished": "2026-04-24T14:35:46.740Z",
"dateReserved": "2026-03-09T15:48:24.117Z",
"dateUpdated": "2026-04-24T14:35:46.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-31566",
"date": "2026-04-26",
"epss": "0.00024",
"percentile": "0.06793"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-31566\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:31.077\",\"lastModified\":\"2026-04-24T17:51:40.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib\\n\\namdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence\\nfrom amdgpu_ib_schedule(). This fence is used to wait for job\\ncompletion.\\n\\nCurrently, the code drops the fence reference using dma_fence_put()\\nbefore calling dma_fence_wait().\\n\\nIf dma_fence_put() releases the last reference, the fence may be\\nfreed before dma_fence_wait() is called. This can lead to a\\nuse-after-free.\\n\\nFix this by waiting on the fence first and releasing the reference\\nonly after dma_fence_wait() completes.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory \u0027f\u0027 (line 696)\\n\\n(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/138e42be35ff2ce6572ae744de851ea286cf3c69\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/39820864eacd886f1a6f817414fb8f9ea3e9a2b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/42d248726a0837640452b71c5a202ca3d35239ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7150850146ebfa4ca998f653f264b8df6f7f85be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bc7760c107dc08ef3e231d72c492e67b0a86848b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e23602eb0779760544314ed3905fa6a89a4e4070\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…