CVE-2026-43370 Git CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and administrators of systems that use the AMDGPU driver—especially multi-user workstations or hosts where local users may run untrusted code.

Technical summary

According to the CVE description, the bug is a race condition in drm/amdgpu VM acquisition. Because vm->process_info was assigned non-atomically, two related processes sharing a drm_file after fork() could contend for the same VM and trigger a use-after-free. The resolved change uses cmpxchg() to serialize ownership changes and avoid the race.

Defensive priority

High for systems with AMDGPU support and local user exposure. The CVSS vector provided by NVD is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious local-impact issue even though it is not network exploitable.

Recommended defensive actions

• Apply the kernel update or stable backport that includes the VM acquire race fix.
• Prioritize patching systems that allow untrusted local accounts, developer workstations, and multi-user desktop environments.
• Confirm your kernel build includes the AMDGPU fix by checking vendor advisories or the linked stable kernel commit references.
• After updating, watch for kernel warnings, GPU driver resets, or other regressions during validation on AMDGPU systems.
• Use least-privilege access controls for local accounts until remediation is complete.

Evidence notes

This debrief is based only on the supplied CVE metadata and NVD-listed references. The key technical facts come from the CVE description: a non-atomic vm->process_info assignment in drm/amdgpu VM acquire, a race after fork() between parent and child processes sharing a drm_file, and remediation via cmpxchg(). The CVSS vector supplied by NVD is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Official resources