CVE-2026-53139 (GCVE-0-2026-53139)

Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI
Title
drm/v3d: Skip CSD when it has zeroed workgroups
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Skip CSD when it has zeroed workgroups A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2 registers. Kicking off a dispatch with a zero count in any of the three dimensions is invalid. First, the hardware will process 0 as 65536, while the user-space driver exposes a maximum of 65535. Over that, a submission with a zeroed workgroup dimension should be a no-op. These zeroed counts can reach the dispatch path through an indirect CSD job, whose workgroup counts are only known once the indirect buffer is read and may legitimately be zero, but such scenario should only result in a no-op. Overwrite the indirect CSD job workgroup counts with the indirect BO ones, even if they are zeroed, and don't submit the job to the hardware when any of the workgroup counts is zero, so the job completes immediately instead of running the shader.
Severity
No CVSS data available.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: d223f98f02099b002903b9b22b56febae16ef80d , < 9655b56b6de918e1c22b92f3880ae41b052cbd00 (git)
Affected: d223f98f02099b002903b9b22b56febae16ef80d , < 11e6432836394e00d39e468cd514f9ddb66f1e49 (git)
Affected: d223f98f02099b002903b9b22b56febae16ef80d , < 7f93fad5ea0affc9e1505dd0f7596c0fdb496213 (git)
Create a notification for this product.
Linux Linux Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 6.18.36 , ≤ 6.18.* (semver)
Unaffected: 7.0.13 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_sched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9655b56b6de918e1c22b92f3880ae41b052cbd00",
              "status": "affected",
              "version": "d223f98f02099b002903b9b22b56febae16ef80d",
              "versionType": "git"
            },
            {
              "lessThan": "11e6432836394e00d39e468cd514f9ddb66f1e49",
              "status": "affected",
              "version": "d223f98f02099b002903b9b22b56febae16ef80d",
              "versionType": "git"
            },
            {
              "lessThan": "7f93fad5ea0affc9e1505dd0f7596c0fdb496213",
              "status": "affected",
              "version": "d223f98f02099b002903b9b22b56febae16ef80d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_sched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.36",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.13",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Skip CSD when it has zeroed workgroups\n\nA compute shader dispatch encodes its workgroup counts in the CFG0..CFG2\nregisters. Kicking off a dispatch with a zero count in any of the three\ndimensions is invalid. First, the hardware will process 0 as 65536,\nwhile the user-space driver exposes a maximum of 65535. Over that, a\nsubmission with a zeroed workgroup dimension should be a no-op.\n\nThese zeroed counts can reach the dispatch path through an indirect CSD\njob, whose workgroup counts are only known once the indirect buffer is\nread and may legitimately be zero, but such scenario should only result in\na no-op.\n\nOverwrite the indirect CSD job workgroup counts with the indirect BO\nones, even if they are zeroed, and don\u0027t submit the job to the hardware\nwhen any of the workgroup counts is zero, so the job completes immediately\ninstead of running the shader."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T08:38:27.738Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9655b56b6de918e1c22b92f3880ae41b052cbd00"
        },
        {
          "url": "https://git.kernel.org/stable/c/11e6432836394e00d39e468cd514f9ddb66f1e49"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f93fad5ea0affc9e1505dd0f7596c0fdb496213"
        }
      ],
      "title": "drm/v3d: Skip CSD when it has zeroed workgroups",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53139",
    "datePublished": "2026-06-25T08:38:27.738Z",
    "dateReserved": "2026-06-09T07:44:35.387Z",
    "dateUpdated": "2026-06-25T08:38:27.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53139",
      "date": "2026-07-02",
      "epss": "0.00166",
      "percentile": "0.06149"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53139\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-25T09:16:31.247\",\"lastModified\":\"2026-06-30T14:44:27.313\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/v3d: Skip CSD when it has zeroed workgroups\\n\\nA compute shader dispatch encodes its workgroup counts in the CFG0..CFG2\\nregisters. Kicking off a dispatch with a zero count in any of the three\\ndimensions is invalid. First, the hardware will process 0 as 65536,\\nwhile the user-space driver exposes a maximum of 65535. Over that, a\\nsubmission with a zeroed workgroup dimension should be a no-op.\\n\\nThese zeroed counts can reach the dispatch path through an indirect CSD\\njob, whose workgroup counts are only known once the indirect buffer is\\nread and may legitimately be zero, but such scenario should only result in\\na no-op.\\n\\nOverwrite the indirect CSD job workgroup counts with the indirect BO\\nones, even if they are zeroed, and don\u0027t submit the job to the hardware\\nwhen any of the workgroup counts is zero, so the job completes immediately\\ninstead of running the shader.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"drivers/gpu/drm/v3d/v3d_sched.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"d223f98f02099b002903b9b22b56febae16ef80d\",\"lessThan\":\"9655b56b6de918e1c22b92f3880ae41b052cbd00\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"d223f98f02099b002903b9b22b56febae16ef80d\",\"lessThan\":\"11e6432836394e00d39e468cd514f9ddb66f1e49\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"d223f98f02099b002903b9b22b56febae16ef80d\",\"lessThan\":\"7f93fad5ea0affc9e1505dd0f7596c0fdb496213\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"drivers/gpu/drm/v3d/v3d_sched.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"5.3\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"5.3\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.36\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.13\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/11e6432836394e00d39e468cd514f9ddb66f1e49\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7f93fad5ea0affc9e1505dd0f7596c0fdb496213\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9655b56b6de918e1c22b92f3880ae41b052cbd00\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…