CVE-2026-46220 Linux CVE debrief

Who should care

Linux system administrators running kernels with AMDGPU support; organizations using AMD GPUs in desktop, workstation, or server environments; security teams monitoring for local privilege escalation or denial-of-service vectors in graphics drivers

Technical summary

The AMDGPU SDMA4 driver's fence emission routine used `BUG_ON()` assertions to validate dword-aligned fence writeback addresses. These assertions were reachable from unprivileged userspace through the `DRM_IOCTL_AMDGPU_CS` IOCTL, allowing local attackers to trigger kernel panics. The vulnerability represents a defense-in-depth failure where kernel crash assertions were exposed to untrusted input rather than being restricted to internal driver invariants. The fix converts fatal assertions to warnings, deferring proper input validation to the CS IOCTL entry point.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable branch commits when available from your Linux distribution
• Monitor vendor security advisories for backported fixes to currently deployed kernel versions
• Consider restricting unprivileged access to AMDGPU DRM devices where feasible as a temporary mitigation
• Review system logs for WARN_ON messages indicating misaligned fence addresses that may indicate driver bugs

Evidence notes

The CVE description and kernel commit references confirm the vulnerability: unprivileged userspace could trigger `BUG_ON(addr & 0x3)` assertions in `sdma_v4_0_ring_emit_fence()` via the AMDGPU CS IOCTL path, resulting in kernel panic. The fix (cherry-picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e) replaces fatal assertions with non-fatal warnings. Multiple stable kernel branch commits are referenced indicating backports to affected versions.

Official resources