{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23468", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.021Z", "datePublished": "2026-04-03T15:15:47.207Z", "dateUpdated": "2026-04-03T15:15:47.207Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:47.207Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Limit BO list entry count to prevent resource exhaustion\n\nUserspace can pass an arbitrary number of BO list entries via the\nbo_number field. Although the previous multiplication overflow check\nprevents out-of-bounds allocation, a large number of entries could still\ncause excessive memory allocation (up to potentially gigabytes) and\nunnecessarily long list processing times.\n\nIntroduce a hard limit of 128k entries per BO list, which is more than\nsufficient for any realistic use case (e.g., a single list containing all\nbuffers in a large scene). This prevents memory exhaustion attacks and\nensures predictable performance.\n\nReturn -EINVAL if the requested entry count exceeds the limit\n\n(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "5ce4a38e6c2488949e373d5066303f9c128db614", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6270b1a5dab94665d7adce3dc78bc9066ed28bdd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c"], "versions": [{"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5ce4a38e6c2488949e373d5066303f9c128db614"}, {"url": "https://git.kernel.org/stable/c/f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9"}, {"url": "https://git.kernel.org/stable/c/6270b1a5dab94665d7adce3dc78bc9066ed28bdd"}], "title": "drm/amdgpu: Limit BO list entry count to prevent resource exhaustion", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Limit BO list entry count to prevent resource exhaustion\n\nUserspace can pass an arbitrary number of BO list entries via the\nbo_number field. Although the previous multiplication overflow check\nprevents out-of-bounds allocation, a large number of entries could still\ncause excessive memory allocation (up to potentially gigabytes) and\nunnecessarily long list processing times.\n\nIntroduce a hard limit of 128k entries per BO list, which is more than\nsufficient for any realistic use case (e.g., a single list containing all\nbuffers in a large scene). This prevents memory exhaustion attacks and\nensures predictable performance.\n\nReturn -EINVAL if the requested entry count exceeds the limit\n\n(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)"}], "id": "CVE-2026-23468", "lastModified": "2026-04-03T16:16:34.330", "metrics": {}, "published": "2026-04-03T16:16:34.330", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5ce4a38e6c2488949e373d5066303f9c128db614"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6270b1a5dab94665d7adce3dc78bc9066ed28bdd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5ce4a38e6c2488949e373d5066303f9c128db614)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6270b1a5dab94665d7adce3dc78bc9066ed28bdd)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T19:08:13.364604+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that contains the patch limiting BO list entry counts", "Verify that the kernel source includes commit 688b87d39e0aa8135105b40dc167d74b5ada5332 or its equivalent", "Reboot the system after the kernel upgrade to activate the updated driver", "If an immediate kernel upgrade is not possible, restrict untrusted processes from accessing the GPU driver and monitor system memory usage for abnormal growth"], "summary": {"action": "Apply patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "This issue affects the AMDGPU component of the Linux kernel. The vulnerability is present in all kernel versions that compile the affected driver before the commit that enforces the 128\u2009000 entry limit. No specific version ranges are listed, so any kernel build without the patch is potentially vulnerable.", "description_and_impact": "In the Linux kernel\u2019s AMDGPU driver, userspace can provide an arbitrarily large number of buffer object (BO) list entries through the bo_number field. The previous overflow check stops out\u2011of\u2011bounds allocation but does not limit how many entries can be requested. A large request can therefore cause the driver to allocate a massive amount of memory\u2014potentially many gigabytes\u2014and to perform very long list traversals, leading to severe memory exhaustion and slowed system performance. The fix introduces a hard limit of 128\u2009000 entries per BO list, and returns an error if the requested count exceeds this limit, preventing the excessive allocation from occurring.", "risk_and_exploitability": "The attack requires a process that can communicate with the AMDGPU driver, typically a privileged or user\u2011space application with DRM access. Because the vulnerability relies on kernel\u2011mode allocation, exploitation is likely limited to local or privileged users, reducing the likelihood of widespread remote attacks. The lack of an EPSS score and absence from the CISA KEV catalog suggest moderate exploitation risk, but the potential for DoS by exhausting system memory remains a serious concern for affected systems."}}}}, "created": "2026-04-03T21:13:30.870014+00:00", "updated": "2026-04-03T21:15:45.707925+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-770"]}