In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix sync handling in amdgpudmabufmovenotify
Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table.
The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpuvmhandle_moved behave as if updating the page table immediately was correct but in this case it's not.
An example is the following scenario, with 2 GPUs and glxgears running on GPU0 and Xorg running on GPU1, on a system where P2P PCI isn't supported:
glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blit Xorg: copy of linear buffer
The sequence of jobs would be: drmschedjobrun # GPU0, frame rendering drmschedjobqueue # GPU0, blit drmschedjobdone # GPU0, frame rendering drmschedjobrun # GPU0, blit move linear buffer for GPU1 access # amdgpudmabufmovenotify -> update pt # GPU0
It this point the blit job on GPU0 is still running and would likely produce a page fault.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43318.json"
}