Listen to this Post
CVE-2026-46204 is an out‑of‑bounds (OOB) read vulnerability in the AMDGPU driver’s Video Core Next 4 (VCN4) component of the Linux kernel. The flaw resides in how the driver parses user‑supplied Instruction Buffers (IB) inside `vcn_v4_0_enc_find_ib_param()` and vcn_v4_0_ring_patch_cs_in_place(). In affected versions, code directly accesses the `ib->ptr
` array while its loop condition only checks <code>i < ib->length_dw</code>. This is insufficient because `ib->ptr[bash]` can still attempt to read one element beyond the allowed offset when `i` approaches `length_dw` [6†L4-L6]. A local user with sufficient privileges (requiring `/dev/dri` access) can craft a malicious IB that triggers this out‑of‑bounds read. Since there is no effective bounds check, the kernel may read sensitive memory contents that belong to other processes or kernel structures. Under certain conditions, this can also lead to kernel instability or a denial‑of‑service (DoS) by accessing an unmapped or guard‑page area [1†L12-L14]. The fix replaces all direct `ib->ptr[bash]` accesses with <code>amdgpu_ib_get_value(ib, i)</code>, a helper function that internally performs proper bounds checking. If the index is out of range, the function safely returns a default value or triggers an error path, eliminating the OOB read [2†L10-L12]. The vulnerability affects a wide range of Linux kernel versions, and patches have been backported to the stable branches as detailed in the official CVE announcement [7†L10-L14]. <h2 style="color: blue;">DailyCVE Form:</h2> Platform: Linux Kernel Version: <6.6.140,<6.12.90,<6.18.32,<7.0.9 Vulnerability: Out-of-Bounds Read Severity: High date: 2026-05-28 <h2 style="color: blue;">Prediction: 2026-07-15</h2> <h2 style="color: blue;">What Undercode Say:</h2> [bash] View kernel version uname -r Check if patch is applied (should contain amdgpu_ib_get_value) grep -n "amdgpu_ib_get_value" /lib/modules/$(uname -r)/kernel/drivers/gpu/drm/amd/amdgpu/amdgpu.ko 2>/dev/null View current IB parsing code in vcn_v4_0.c (from kernel source) grep -A 10 "vcn_v4_0_enc_find_ib_param" /path/to/linux/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
// Vulnerable code pattern
for (i = 0; i < ib->length_dw; i++) {
value = ib->ptr[bash]; // OOB if i == length_dw
}
// Fixed code
for (i = 0; i < ib->length_dw; i++) {
value = amdgpu_ib_get_value(ib, i); // Safe bounds check
}
Exploit:
No public exploit is available at this time. However, a local user can attempt to trigger the OOB read by:
1. Opening a DRM file descriptor to the AMD GPU (/dev/dri/cardX).
2. Submitting a crafted video encode job with an Instruction Buffer where the loop condition `i < ib->length_dw` is satisfied, but the corresponding array access `ib->ptr[bash]` lies outside the allocated buffer.
3. Observing kernel memory disclosures or system crashes as a result.
Protection:
- Apply the security update from your Linux distribution (stable kernel versions 6.6.140, 6.12.90, 6.18.32, 7.0.9 or later) [7†L10-L14].
- If a full upgrade is not possible, cherry‑pick the relevant commits from the Linux kernel stable tree.
- As a workaround, restrict physical access to the system and remove the `video` group from untrusted users to prevent access to `/dev/dri/` devices.
Impact:
- Confidentiality: An attacker may read sensitive kernel memory (e.g., credentials, cryptographic keys, other process data).
- Availability: Memory corruption can cause kernel panics, leading to denial of service.
- Privilege Escalation: While not directly granting code execution, information leaks can aid further exploits (e.g., defeating KASLR).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
