CVE-2026-46276

Source
https://cve.org/CVERecord?id=CVE-2026-46276
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46276.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46276
Downstream
Related
Published
2026-06-08T15:41:18.672Z
Modified
2026-06-18T03:54:44.065334134Z
Summary
drm/amdgpu: fix zero-size GDS range init on RDNA4
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix zero-size GDS range init on RDNA4

RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory resources. The gfxv120 initialisation code correctly leaves adev->gds.gdssize, adev->gds.gwssize, and adev->gds.oa_size at zero to reflect this.

amdgputtminit() unconditionally calls amdgputtminitonchip() for each of these resources regardless of size. When the size is zero, amdgputtminitonchip() forwards the call to ttmrangemaninit(), which calls drmmminit(mm, 0, 0). drmmminit() immediately fires DRMMMBUGON(start + size <= start) -- trivially true when size is zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT.

Guard against this by returning 0 early from amdgputtminitonchip() when sizeinpage is zero. This skips TTM resource manager registration for hardware resources that are absent, without affecting any other GPU type.

DRMMMBUGON() only asserts if CONFIGDRMDEBUGMM is enabled in the kernel config. This is apparently rarely enabled as these chips have been in the market for over a year and this issue was only reported now.

Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html (cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46276.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c832c346cdf9022872655be621880e0f66f4135d
Fixed
1f5d33e7b0a9a2a140f46e22fb52eede323c5946
Fixed
9bc925759c05feae7dfa9570e77131d54729c8ea
Fixed
36f9602fb22ede69fcc8b422be0cf8105bf655ad
Fixed
be0376affcafa0bbb371bb501579a825eae32281
Fixed
0e21db1a77967bc15df662efdca8ea8a61d124ea
Fixed
30c000a49094ec568c9b51b7421f7a4a3f0b0298
Fixed
3e26c76891ab99fa173e9c501119fbb5c9f4600f
Fixed
095a8b0ad3c3b5cdc3850d961adb8a8f735220bb

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46276.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46276.json"