CVE-2026-53143

Source
https://cve.org/CVERecord?id=CVE-2026-53143
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53143.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53143
Downstream
Published
2026-06-25T08:38:30.901Z
Modified
2026-07-08T08:13:43.774724489Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

The v11 MQD manager incorrectly assigned the CP-compute variants of checkpointmqd/restoremqd for KFDMQDTYPESDMA queues. These functions use sizeof(struct v11computemqd) (2048 bytes) instead of sizeof(struct v11sdma_mqd) (512 bytes), causing a 1536-byte overflow.

During CRIU checkpoint of an SDMA queue on Navi3x: - checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer, leaking 1536 bytes of adjacent GTT memory to userspace

During CRIU restore: - restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer, corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs)

This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.

Add checkpointmqdsdma() and restoremqdsdma() functions that properly handle the smaller v11sdmamqd structure, matching the pattern used in other MQD managers.

(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53143.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cc009e613de6560eb499f8bc92c80a737752cb30
Fixed
16dad1fb0d783a4008de30e32d0038c393de05b1
Fixed
2c5b66c9b4057b385566940935ebc32f6e6ebfd2
Fixed
d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64
Fixed
d02f05d30f35b036f7cbaf72de634affb5b38ec6
Fixed
352ea59028ea48a6fff77f19ae28f98f71946a80

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53143.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.19.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53143.json"