CVE-2026-45976 Linux CVE debrief

Who should care

Organizations running Linux systems with AMD GPU hardware, particularly those utilizing RAS (Reliability, Availability, Serviceability) features for error detection and reporting in data center or workstation deployments. Kernel maintainers and distributors should prioritize inclusion of the fix commits in stable kernel updates.

Technical summary

The vulnerability is located in `drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c` in the `amdgpu_ras_init()` function. The code allocates a `con` structure via `kzalloc()` early in the function. If the subsequent call to `amdgpu_nbio_ras_sw_init()` returns an error, the original code path returns directly, leaking the allocated memory. The correction introduces a `release_con` label and uses `goto` to ensure `kfree(con)` is executed before returning the error code. This is a classic error handling omission pattern in kernel driver initialization code.

Defensive priority

low

Recommended defensive actions

• Apply kernel updates containing the referenced stable tree commits when available through distribution maintainers
• Monitor NVD for CVSS scoring once analysis is completed
• Review local systems for AMD GPU hardware utilizing RAS features
• Consider enabling kernel memory leak detection (KASAN, KMEMLEAK) in test environments to identify similar issues

Evidence notes

Vulnerability description sourced from official CVE record published 2026-05-27. Fix commits identified in kernel.org stable tree. No CVSS score or severity assigned by NVD at time of publication (status: Awaiting Analysis). Vendor identification marked low confidence by source system due to 'Unknown Vendor' classification with 'Kernel' domain candidate.

Official resources