PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31765 Linux CVE debrief

CVE-2026-31765 is a Linux kernel amdgpu/KFD availability issue that can crash affected systems, especially on 64KB page-size configurations. The problem is a size mismatch between the reserved GPU trap area and the KFD CWSR TBA/TMA allocation: the reserved space was hardcoded at 8KB while the allocation could grow to 128KB on 64KB-page systems. NVD rates the issue as local, low-complexity, low-privilege, no-user-interaction, with high availability impact.

Vendor
Linux
Product
CVE-2026-31765
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-05-11
Advisory published
2026-05-01
Advisory updated
2026-05-11

Who should care

Linux administrators and platform owners running AMDGPU/KFD workloads on kernels in the affected ranges, especially on 64KB page-size systems and environments using rocminfo, RCCL unit tests, or similar GPU initialization paths.

Technical summary

The kernel description says AMDGPU_VA_RESERVED_TRAP_SIZE was hardcoded to 8KB while KFD_CWSR_TBA_TMA_SIZE was defined as 2 * PAGE_SIZE. That matched on 4K-page systems, but on 64K-page systems the allocation grew to 128KB while only 8KB was reserved, leading to a kernel NULL pointer dereference / crash during GPU VM initialization. The referenced fix changes the reserved trap size to 64KB and makes KFD_CWSR_TBA_TMA_SIZE follow the AMD GPU page size so the allocation does not exceed the reserved area.

Defensive priority

High for exposed AMDGPU/KFD deployments on 64KB page-size systems; moderate overall because the reported impact is denial of service rather than code execution.

Recommended defensive actions

  • Upgrade to a kernel version that includes the fix referenced by the official patch links.
  • Prioritize remediation on systems using AMDGPU/KFD with 64KB page-size kernels, especially if GPU tooling or tests can trigger the affected path.
  • Review deployed kernel versions against the affected ranges listed by NVD: 6.9 through 6.12.80, 6.13 through 6.18.21, 6.19 through 6.19.11, and 7.0 release candidates through rc6.
  • Monitor affected hosts for repeated kernel oopses or crashes involving amdgpu/KFD initialization paths.
  • If immediate upgrading is not possible, restrict unnecessary access to GPU management and test workloads on the impacted systems until patched.

Evidence notes

All substantive claims are supported by the supplied NVD record and the CVE description. The description explicitly states the trap-size mismatch, the 64KB-page-system crash condition, and the remediation approach. NVD classifies the weakness as CWE-476 and assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The published date used here is 2026-05-01T15:16:39.633Z; the later modified date is 2026-05-11T17:48:57.713Z.

Official resources

Publicly disclosed in NVD on 2026-05-01 and updated on 2026-05-11. The issue appears in the Linux kernel amdgpu/KFD path and is tracked with official kernel patch references from the NVD record.