In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: fix NULL dereference in getqueueids()
When usrqueueidarray is NULL and numqueues is non-zero, getqueueids() returns NULL. The callers check only ISERR() on the return value; since ISERR(NULL) == false the check passes, and suspendqueues() calls qarrayinvalidate() which immediately dereferences NULL while iterating numqueues times.
Userspace can trigger this via kfdioctlsetdebugtrap() by supplying numqueues > 0 with a zero queuearray_ptr, causing a kernel panic.
A NULL usrqueueidarray with numqueues == 0 is a legitimate no-op (qarrayinvalidate never executes, and resumequeues already guards all queueids dereferences behind a NULL check). Return ERRPTR(-EINVAL) only when numqueues is non-zero and the pointer is absent; both callers already propagate IS_ERR() returns correctly to userspace.
(cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53144.json",
"cna_assigner": "Linux"
}