CVE-2026-52987 Linux CVE debrief

Who should care

Linux kernel users and administrators should be aware of this vulnerability and take necessary actions to ensure their systems are updated with the patched kernel. The vulnerability can be exploited locally, and an attacker with low privileges can potentially gain high privileges. Therefore, it is essential to prioritize patching to prevent potential attacks.

Technical summary

The vulnerability is caused by a double drm_exec_fini() call in the userq validate path of the Linux kernel. When new_addition is true, amdgpu_userq_vm_validate() calls drm_exec_fini(&exec) before iterating over the collected HMM ranges and calling amdgpu_ttm_tt_get_user_pages(). If amdgpu_ttm_tt_get_user_pages() fails, the code jumps to unlock_all and calls drm_exec_fini(&exec) a second time on the same exec object. This can lead to use-after-free and other memory corruption issues.

Defensive priority

High priority should be given to patching affected Linux kernel systems, as the vulnerability can be exploited locally and has a high CVSS score. Administrators should ensure that their systems are updated with the patched kernel to prevent potential attacks.

Recommended defensive actions

• Update Linux kernel systems with the patched kernel
• Review system logs for potential exploitation attempts
• Ensure system administrators are aware of the vulnerability and its potential impact
• Consider implementing additional security measures, such as memory protection and address space layout randomization (ASLR)
• Monitor system performance and behavior for signs of potential exploitation

Evidence notes

The vulnerability was found using a prototype static analysis tool and confirmed by code review. The CVE record was published on 2026-06-24T17:17:09.517Z and last modified on 2026-06-28T08:16:28.030Z. The CVSS score is 7.8, and the vulnerability is classified as HIGH severity.

Official resources