{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23338", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.997Z", "datePublished": "2026-03-25T10:27:27.377Z", "dateUpdated": "2026-05-11T22:04:54.623Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:54.623Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings\n\nUserspace can either deliberately pass in the too small num_fences, or the\nrequired number can legitimately grow between the two calls to the userq\nwait ioctl. In both cases we do not want the emit the kernel warning\nbacktrace since nothing is wrong with the kernel and userspace will simply\nget an errno reported back. So lets simply drop the WARN_ONs.\n\n(cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"], "versions": [{"version": "a292fdecd72834b3bec380baa5db1e69e7f70679", "lessThan": "1753f5f81ab60a553287f9ee659a6ac363adf8d7", "status": "affected", "versionType": "git"}, {"version": "a292fdecd72834b3bec380baa5db1e69e7f70679", "lessThan": "7321302edca3a349ddaea689df95b986beee6c4a", "status": "affected", "versionType": "git"}, {"version": "a292fdecd72834b3bec380baa5db1e69e7f70679", "lessThan": "7b7d7693a55d606d700beb9549c9f7f0e5d9c24f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1753f5f81ab60a553287f9ee659a6ac363adf8d7"}, {"url": "https://git.kernel.org/stable/c/7321302edca3a349ddaea689df95b986beee6c4a"}, {"url": "https://git.kernel.org/stable/c/7b7d7693a55d606d700beb9549c9f7f0e5d9c24f"}], "title": "drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B092616-17E9-4C58-A0D5-624A8FAE8D23", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings\n\nUserspace can either deliberately pass in the too small num_fences, or the\nrequired number can legitimately grow between the two calls to the userq\nwait ioctl. In both cases we do not want the emit the kernel warning\nbacktrace since nothing is wrong with the kernel and userspace will simply\nget an errno reported back. So lets simply drop the WARN_ONs.\n\n(cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/amdgpu/userq: No permitir que el espacio de usuario active trivialmente advertencias del kernel\n\nEl espacio de usuario puede pasar deliberadamente un num_fences demasiado peque\u00f1o, o el n\u00famero requerido puede crecer leg\u00edtimamente entre las dos llamadas al ioctl de espera de userq. En ambos casos no queremos emitir el rastreo de advertencia del kernel, ya que no hay ning\u00fan problema con el kernel y el espacio de usuario simplemente recibir\u00e1 un errno informado. As\u00ed que simplemente descartemos los WARN_ON.\n\n(extra\u00eddo del commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)"}], "id": "CVE-2026-23338", "lastModified": "2026-04-23T21:17:25.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:31.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1753f5f81ab60a553287f9ee659a6ac363adf8d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7321302edca3a349ddaea689df95b986beee6c4a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7b7d7693a55d606d700beb9549c9f7f0e5d9c24f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings", "id": "2451231", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451231"}, "csaw": false, "cwe": "CWE-1284", "details": ["A flaw was found in the Linux kernel, specifically within the `drm/amdgpu/userq` component. This vulnerability allows a local user to intentionally or unintentionally trigger kernel warnings. This occurs when the user provides an incorrect number of fences during a `userq wait ioctl` operation. While this does not compromise the kernel's integrity, it can lead to unnecessary system diagnostic messages."], "name": "CVE-2026-23338", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23338\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23338\nhttps://lore.kernel.org/linux-cve-announce/2026032534-CVE-2026-23338-67c7@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a292fdecd72834b3bec380baa5db1e69e7f70679,1753f5f81ab60a553287f9ee659a6ac363adf8d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a292fdecd72834b3bec380baa5db1e69e7f70679,7321302edca3a349ddaea689df95b986beee6c4a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a292fdecd72834b3bec380baa5db1e69e7f70679,7b7d7693a55d606d700beb9549c9f7f0e5d9c24f)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:42:16.424982+00:00", "value": {"mitigation_remediation": ["Update the running kernel to a version that incorporates the amdgpu driver change that removes the WARN_ON statements.", "If building from source, apply or verify the application of commit\u202f2c333ea5, which removes the warning path from the driver.", "Monitor kernel logs for any remaining amdgpu warning messages; if warnings continue, investigate further configuration changes or contact the distribution maintainer for a patched kernel."], "summary": {"action": "Apply Patch", "impact": "Kernel Warning Trigger"}, "threat_synthesis": {"affected_systems": "Linux kernels that include the amdgpu driver before the commit that removed the WARN_ON checks are affected. Kernel versions from 6.16 and the 7.0 series release candidates through 7.0-rc7 are listed as vulnerable, indicating that any kernel prior to the application of the patch may exhibit the warning behavior.", "description_and_impact": "The Linux kernel\u2019s amdgpu driver contains a flaw where a userspace application can cause the kernel to emit a WARN_ON warning backtrace via the user queue wait ioctl. By requesting an excessively small number of fences or letting the required number of fences grow between calls, the driver would warn even though the kernel is in a valid state. The fix removes these WARN_ON checks, limiting the observable effect to an errno return value returned to userspace.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1\u202f% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local userspace access to the amdgpu driver and results only in delivery of kernel warning backtraces, not in code execution or denial of service. The likely attack vector is local userspace interaction with the amdgpu device; the fix removes the warning path and mitigates the issue."}}}}, "created": "2026-03-25T21:32:15.951839+00:00", "updated": "2026-04-29T00:45:26.167594+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}