CVE-2026-31766

Source
https://cve.org/CVERecord?id=CVE-2026-31766
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31766.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31766
Downstream
Published
2026-05-01T14:14:56.622Z
Modified
2026-07-08T08:00:04.856392718Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
drm/amdgpu: validate doorbell_offset in user queue creation
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: validate doorbell_offset in user queue creation

amdgpuuserqgetdoorbellindex() passes the user-provided doorbelloffset to amdgpudoorbellindexonbar() without bounds checking. An arbitrarily large doorbelloffset can cause the calculated doorbell index to fall outside the allocated doorbell BO, potentially corrupting kernel doorbell space.

Validate that doorbell_offset falls within the doorbell BO before computing the BAR index, using u64 arithmetic to prevent overflow.

(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31766.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f09c1e6077abd1bc2ddd2b97e1135215801ca7f9
Fixed
3543005a42d7e8e12b21897ef6798541bf7cbcd3
Fixed
86b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6
Fixed
a018d1819f158991b7308e4f74609c6c029b670c

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31766.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31766.json"