CVE-2026-53143 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

The v11 MQD manager incorrectly assigned the CP-compute variants of
checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions
use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct
v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.

During CRIU checkpoint of an SDMA queue on Navi3x:
- checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,
leaking 1536 bytes of adjacent GTT memory to userspace

During CRIU restore:
- restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,
corrupting 1536 bytes of adjacent GTT memory (often the ring buffer
or neighboring MQDs)

This is a copy-paste regression unique to v11. All other ASIC backends
(cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.

Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly
handle the smaller v11_sdma_mqd structure, matching the pattern used in
other MQD managers.

(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< 16dad1fb0d783a4008de30e32d0038c393de05b1
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< 2c5b66c9b4057b385566940935ebc32f6e6ebfd2
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< d02f05d30f35b036f7cbaf72de634affb5b38ec6
`cc009e613de6560eb499f8bc92c80a737752cb30`	affected	< 352ea59028ea48a6fff77f19ae28f98f71946a80

Linux

affected

Version	Status	Constraints
`5.19`	affected	—
`0`	unaffected	< 5.19
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/16dad1fb0d783a4008de30e32d0038c393de05b1
https://git.kernel.org/stable/c/2c5b66c9b4057b385566940935ebc32f6e6ebfd2
https://git.kernel.org/stable/c/352ea59028ea48a6fff77f19ae28f98f71946a80
https://git.kernel.org/stable/c/d02f05d30f35b036f7cbaf72de634affb5b38ec6
https://git.kernel.org/stable/c/d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64

History

Thu, 25 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122 CWE-787

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 The v11 MQD manager incorrectly assigned the CP-compute variants of checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow. During CRIU checkpoint of an SDMA queue on Navi3x: - checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer, leaking 1536 bytes of adjacent GTT memory to userspace During CRIU restore: - restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer, corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs) This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants. Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly handle the smaller v11_sdma_mqd structure, matching the pattern used in other MQD managers. (cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)
Title		drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/16dad1fb0d783a4008de30e32d0038c393de05b1 https://git.kernel.org/stable/c/2c5b66c9b4057b385566940935ebc32f6e6ebfd2 https://git.kernel.org/stable/c/352ea59028ea48a6fff77f19ae28f98f71946a80 https://git.kernel.org/stable/c/d02f05d30f35b036f7cbaf72de634affb5b38ec6 https://git.kernel.org/stable/c/d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:30.901Z

Updated: 2026-06-25T08:38:30.901Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53143

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T10:30:17Z

Weaknesses

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object