In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
The address watch clear code receives watchid as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watchid.
If a very large watchid is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watchpoints array.
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
Fix this by checking that watchid is within MAXWATCHADDRESSES before using it. Also use BIT(watchid) to test and clear bits safely.
This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones.
Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfddebug.c:448 kfddbgtrapcleardevaddresswatch() error: buffer overflow 'pdd->watchpoints' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped
drivers/gpu/drm/amd/amdgpu/../amdkfd/kfddebug.c 433 int kfddbgtrapcleardevaddresswatch(struct kfdprocessdevice *pdd, 434 uint32t watchid) 435 { 436 int r; 437 438 if (!kfddbgownsdevwatchid(pdd, watch_id))
kfddbgownsdevwatchid() doesn't check for negative values so if watchid is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined).
439 return -EINVAL;
440
441 if (!pdd->dev->kfd->shared_resources.enable_mes) {
442 r = debug_lock_and_unmap(pdd->dev->dqm);
443 if (r)
444 return r;
445 }
446
447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false);
--> 448 pdd->watchpoints[watchid] = pdd->dev->kfd2kgd->clearaddresswatch( 449 pdd->dev->adev, 450 watch_id);
v2: (as per, Jonathan Kim) - Add early watchid >= MAXWATCHADDRESSES validation in the set path to match the clear path. - Drop the redundant bounds check in kfddbgownsdevwatchid().
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45878.json"
}