CVE-2026-45878

Source
https://cve.org/CVERecord?id=CVE-2026-45878
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45878.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45878
Downstream
Related
Published
2026-05-27T12:16:49.108Z
Modified
2026-06-27T11:55:01.083583117Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

The address watch clear code receives watchid as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watchid.

If a very large watchid is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watchpoints array.

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

Fix this by checking that watchid is within MAXWATCHADDRESSES before using it. Also use BIT(watchid) to test and clear bits safely.

This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones.

Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfddebug.c:448 kfddbgtrapcleardevaddresswatch() error: buffer overflow 'pdd->watchpoints' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfddebug.c 433 int kfddbgtrapcleardevaddresswatch(struct kfdprocessdevice *pdd, 434 uint32t watchid) 435 { 436 int r; 437 438 if (!kfddbgownsdevwatchid(pdd, watch_id))

kfddbgownsdevwatchid() doesn't check for negative values so if watchid is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined).

439                 return -EINVAL;
440
441         if (!pdd->dev->kfd->shared_resources.enable_mes) {
442                 r = debug_lock_and_unmap(pdd->dev->dqm);
443                 if (r)
444                         return r;
445         }
446
447         amdgpu_gfx_off_ctrl(pdd->dev->adev, false);

--> 448 pdd->watchpoints[watchid] = pdd->dev->kfd2kgd->clearaddresswatch( 449 pdd->dev->adev, 450 watch_id);

v2: (as per, Jonathan Kim) - Add early watchid >= MAXWATCHADDRESSES validation in the set path to match the clear path. - Drop the redundant bounds check in kfddbgownsdevwatchid().

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45878.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e0f85f4690d089cc1a60337decafb1acf7eec45e
Fixed
971bf8e61e9b4abaacf9b35eaf76ec222758f9d6
Fixed
a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488
Fixed
2b36c0c1bcbbe15f6cfa9652084b3124c835a150
Fixed
3c38a0f07aa2bfef2b219b1f045534ad93f85afd
Fixed
5a19302cab5cec7ae7f1a60c619951e6c17d8742

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45878.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45878.json"