CVE-2026-43169

Source
https://cve.org/CVERecord?id=CVE-2026-43169
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43169.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43169
Downstream
Published
2026-05-06T11:27:45.356Z
Modified
2026-06-18T03:54:39.500227892Z
Summary
drm/buddy: Prevent BUG_ON by validating rounded allocation
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/buddy: Prevent BUG_ON by validating rounded allocation

When DRMBUDDYCONTIGUOUSALLOCATION is set, the requested size is rounded up to the next power-of-two via rounduppowoftwo(). Similarly, for non-contiguous allocations with large minblocksize, the size is aligned up via roundup(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUGON(order > mm->max_order).

Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: rounduppowoftwo(9G) = 16G > 10G - 9G allocation with 8G minblocksize on 10G VRAM memory: roundup(9G, 8G) = 16G > 10G

Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing _alloccontigtryharder() fallback.

This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON.

v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43169.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0a1844bf0b532d84324453374ad6845f64066c28
Fixed
d764b8dd420098a4d253b8a5b27568c897edb2cf
Fixed
6236c1cd9fdf433d39ed28b2491ccdfe7ae95061
Fixed
ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727
Fixed
5488a29596cdba93a60a79398dc9b69d5bdadf92

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43169.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43169.json"