In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: validate doorbell_offset in user queue creation
amdgpuuserqgetdoorbellindex() passes the user-provided doorbelloffset to amdgpudoorbellindexonbar() without bounds checking. An arbitrarily large doorbelloffset can cause the calculated doorbell index to fall outside the allocated doorbell BO, potentially corrupting kernel doorbell space.
Validate that doorbell_offset falls within the doorbell BO before computing the BAR index, using u64 arithmetic to prevent overflow.
(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31766.json",
"cna_assigner": "Linux"
}