PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23264 Linux CVE debrief

A logic error in the Linux kernel's AMD GPU ASPM (Active State Power Management) handling can cause system crashes on multi-GPU configurations. The vulnerability stems from an erroneously re-applied commit that checks ASPM enablement from the PCIe subsystem globally, rather than per-device. When a system contains two AMD GPUs and only one supports ASPM, this global check leads to inconsistent power management state and hard-to-debug crashes. The issue was resolved by reverting the problematic commit. Local attackers with sufficient privileges to trigger GPU power state transitions could potentially exploit this to cause denial of service.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-29
Advisory published
2026-03-18
Advisory updated
2026-05-29

Who should care

Organizations running Linux workstations or servers with multiple AMD GPUs, particularly in HPC, AI/ML training, rendering farms, and virtualization environments where GPU passthrough or mixed GPU generations are common.

Technical summary

The vulnerability exists in the AMD DRM driver's ASPM handling. Commit 0ab5d711ec74 (drm/amd: Refactor `amdgpu_aspm` to be evaluated per device) correctly moved ASPM evaluation to a per-device model. However, commit 7294863a6f01248d72b61d38478978d638641bee (Check if ASPM is enabled from PCIe subsystem) was subsequently re-applied, reintroducing a global PCIe subsystem ASPM check that conflicts with the per-device refactoring. On systems with two AMD GPUs where only one supports ASPM, this mismatch causes the driver to enter an inconsistent state, resulting in crashes that are difficult to diagnose. The fix is a clean revert of the erroneous commit. Attack vector is local (AV:L), requiring low privileges (PR:L) and low attack complexity (AC:L), with no user interaction (UI:N). The sole impact is high availability loss (A:H) through system crash/denial of service.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your branch: 5.15.y, 6.1.y, 6.6.y, 6.12.y, or 6.18.y, as identified in the NVD references.
  • For systems with multiple AMD GPUs, verify that all GPUs have consistent ASPM support before deploying kernel updates, or consider temporarily disabling ASPM via kernel boot parameter `pcie_aspm=off` if crashes persist.
  • Monitor kernel logs for ASPM-related errors on multi-GPU AMD systems, particularly after resume from suspend or power state transitions.
  • Prioritize patching on workstations and servers running multi-GPU AMD configurations used for compute, rendering, or virtualization workloads.

Evidence notes

CVE description confirms the revert of commit 7294863a6f01248d72b61d38478978d638641bee, which was erroneously re-applied after per-device ASPM refactoring in commit 0ab5d711ec74. NVD CPE data identifies affected Linux kernel versions across multiple stable branches. Five stable kernel patches are referenced. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields score 5.5 (MEDIUM).

Official resources

2026-03-18