CVE-2026-53144 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: fix NULL dereference in get_queue_ids()

When usr_queue_id_array is NULL and num_queues is non-zero,
get_queue_ids() returns NULL. The callers check only IS_ERR() on the
return value; since IS_ERR(NULL) == false the check passes, and
suspend_queues() calls q_array_invalidate() which immediately
dereferences NULL while iterating num_queues times.

Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying
num_queues > 0 with a zero queue_array_ptr, causing a kernel panic.

A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op
(q_array_invalidate never executes, and resume_queues already guards
all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL)
only when num_queues is non-zero and the pointer is absent; both callers
already propagate IS_ERR() returns correctly to userspace.

(cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00168.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a70a93fa568b4f05aba548dadb673703eccf5480`	affected	< 62bd09e23a23da70f9aae02748eba3e6bd93095d
`a70a93fa568b4f05aba548dadb673703eccf5480`	affected	< daeceb0fe2a19651c58bbfa3d9d515ecb6ca8996
`a70a93fa568b4f05aba548dadb673703eccf5480`	affected	< 72e259a32084c42816152c346096d2edd4213e23
`a70a93fa568b4f05aba548dadb673703eccf5480`	affected	< e1965e8913cfbf17622ca12638e7a07f68ba0848
`a70a93fa568b4f05aba548dadb673703eccf5480`	affected	< 2bd550b547deabef98bd3b017ff743b7c34d3a6d

Linux

affected

Version	Status	Constraints
`6.5`	affected	—
`0`	unaffected	< 6.5
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/2bd550b547deabef98bd3b017ff743b7c34d3a6d
https://git.kernel.org/stable/c/62bd09e23a23da70f9aae02748eba3e6bd93095d
https://git.kernel.org/stable/c/72e259a32084c42816152c346096d2edd4213e23
https://git.kernel.org/stable/c/daeceb0fe2a19651c58bbfa3d9d515ecb6ca8996
https://git.kernel.org/stable/c/e1965e8913cfbf17622ca12638e7a07f68ba0848

History

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: fix NULL dereference in get_queue_ids() When usr_queue_id_array is NULL and num_queues is non-zero, get_queue_ids() returns NULL. The callers check only IS_ERR() on the return value; since IS_ERR(NULL) == false the check passes, and suspend_queues() calls q_array_invalidate() which immediately dereferences NULL while iterating num_queues times. Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying num_queues > 0 with a zero queue_array_ptr, causing a kernel panic. A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op (q_array_invalidate never executes, and resume_queues already guards all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL) only when num_queues is non-zero and the pointer is absent; both callers already propagate IS_ERR() returns correctly to userspace. (cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)
Title		drm/amdkfd: fix NULL dereference in get_queue_ids()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2bd550b547deabef98bd3b017ff743b7c34d3a6d https://git.kernel.org/stable/c/62bd09e23a23da70f9aae02748eba3e6bd93095d https://git.kernel.org/stable/c/72e259a32084c42816152c346096d2edd4213e23 https://git.kernel.org/stable/c/daeceb0fe2a19651c58bbfa3d9d515ecb6ca8996 https://git.kernel.org/stable/c/e1965e8913cfbf17622ca12638e7a07f68ba0848

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:31.569Z

Updated: 2026-06-25T08:38:31.569Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53144

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T13:45:02Z

Weaknesses

CWE-476

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object