PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23468 Unknown Vendor CVE debrief

CVE-2026-23468 is a Linux kernel amdgpu DRM issue where userspace could supply an arbitrarily large BO list entry count, leading to excessive memory use and long list processing. The fix adds a hard cap of 128k entries and returns -EINVAL when the limit is exceeded.

Vendor
Unknown Vendor
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-17
Advisory published
2026-04-03
Advisory updated
2026-05-17

Who should care

Linux kernel and distribution maintainers, GPU/graphics stack operators, and administrators of systems with AMDGPU enabled—especially where untrusted local users or sandboxed workloads can reach the affected userspace-to-kernel interface.

Technical summary

The issue is in drm/amdgpu BO list handling. The bo_number field could be set to an arbitrary number of entries. While prior overflow checks prevented an out-of-bounds allocation, they did not prevent very large allocations or expensive processing of the list. The resolved change imposes a hard upper bound of 128k BO list entries, which is described as sufficient for realistic workloads, and rejects larger requests with -EINVAL. The primary impact described in the source is availability/resource exhaustion, not code execution or memory corruption.

Defensive priority

Medium: the described impact is resource exhaustion and degraded performance in the Linux kernel amdgpu path. Prioritize on systems that expose the affected interface to untrusted local userspace or multi-tenant workloads.

Recommended defensive actions

  • Apply the kernel fix that limits amdgpu BO list entries to 128k and ensure vendor/stable kernels include the backport.
  • Review affected Linux kernel builds and AMDGPU-enabled fleets for the patched commit or downstream equivalent.
  • Treat the issue as an availability hardening item: monitor for unusually large BO list requests or unexpected GPU-related memory pressure.
  • If you maintain downstream kernels, verify that the returned error path (-EINVAL) is preserved for requests above the limit.

Evidence notes

The source description states that userspace can pass an arbitrary number of BO list entries via bo_number, that prior overflow checks did not stop excessive allocation/processing, and that the fix introduces a 128k limit with -EINVAL on overflow. The NVD modified record lists kernel.org stable commit references associated with the fix. No CVSS score or KEV entry was provided in the supplied data.

Official resources

Publicly disclosed in the CVE record on 2026-04-03T16:16:34.330Z; the supplied NVD record was last modified on 2026-05-17T16:16:15.140Z. No KEV listing was provided in the supplied data.