CVE-2026-43400 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and organizations running affected kernels with AMDGPU support should review this CVE. Systems that expose the relevant ioctl path to local users are the primary concern because the reported attack vector is local with low privileges.

Technical summary

The issue is a missing upper-bound check on user-controlled values passed into amdgpu_userq_signal_ioctl. According to the CVE description, huge inputs can cause OOM, so the fix constrains the input against AMDGPU_USERQ_MAX_HANDLES, which the record says is sufficient for legitimate use cases and intended to avoid the memory exhaustion condition.

Defensive priority

Medium. The CVSS score is 5.5 with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local low-privilege availability impact rather than data compromise. Prioritize patching on systems that run affected kernel versions and rely on AMDGPU.

Recommended defensive actions

• Apply the upstream or stable kernel patches referenced in the CVE record.
• Upgrade out of the affected kernel ranges: 6.16 through before 6.18.19, 6.19 through before 6.19.9, and affected 7.0-rc1 builds.
• Review whether AMDGPU is enabled on exposed multi-user systems and schedule kernel updates accordingly.
• Monitor vendor kernel advisories and backport status for your distribution.
• If immediate patching is not possible, restrict local access where practical and watch for unexpected memory pressure or process failures linked to AMDGPU workloads.

Evidence notes

This debrief uses only the CVE description, NVD metadata, and official kernel patch references provided in the source corpus. The source states that oversized inputs in amdgpu_userq_signal_ioctl may lead to OOM and that the fix adds an upper bound check against AMDGPU_USERQ_MAX_HANDLES. NVD marks the vulnerability analyzed and lists patch references at the stable kernel commit URLs.

Official resources