EUVD-2026-28706

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in signal ioctl Huge input values in amdgpuuserqsignalioctl can lead to a OOM and could be exploited. So check these input value against AMDGPUUSERQMAXHANDLES which is big enough...

EUVD-2026-28702

In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Fix user fence leak on alloc failure When dmafencechainalloc fails, properly release the user fence reference to prevent a memory leak. cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0...

EUVD-2026-28674

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may...

CVE-2026-43444

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Unreserve bo if queue update failed Error handling path should unreserve bo then return failed. cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33...

CVE-2026-43368

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may...

UBUNTU-CVE-2026-43395

In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xesyncentryparse can allocate references syncobj, fence, chain fence, or user fence before hitting a later failure path. Several of those paths returned directly,...

UBUNTU-CVE-2026-43367

In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix a few more NULL pointer dereference in device cleanup I found a few more paths that cleanup fails due to a NULL version pointer on unsupported hardware. Add NULL checks as applicable. cherry picked from commit...

CVE-2026-43395

In the Linux kernel, the vulnerability CVE-2026-43395 affects the drm/xe/sync subsystem. During xe_sync_entry_parse(), references (syncobj, fence, chain fence, or user fence) can be allocated before a later failure path is reached, leaving partially initialized state and leaking refs. The fix rou...

CVE-2026-43395

In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xesyncentryparse can allocate references syncobj, fence, chain fence, or user fence before hitting a later failure path. Several of those paths returned directly,...

CVE-2026-43370

The CVE-2026-43370 issue affects the Linux kernel DRM/AMDGPU subsystem, specifically a use-after-free race in VM acquisition. Root cause: a non-atomic vm->process_info assignment could race when parent and child processes sharing a drm_file both attempt to acquire the same VM after fork(). The...

CVE-2026-43369

In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix NULL pointer dereference in device cleanup When GPU initialization fails due to an unsupported HW block IP blocks may have a NULL version pointer. During cleanup in amdgpudevicefinihw, the code calls...

CVE-2026-43368 drm/i915: Fix potential overflow of shmem scatterlist length

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may...

CVE-2026-43318

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix sync handling in amdgpudmabufmovenotify Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will...

CVE-2026-43302

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIGDMAAPIDEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'maxsegsize' is not set. The kernel defaults ...

CVE-2026-43287

In the Linux kernel, the following vulnerability has been resolved: drm: Account property blob allocations to memcg DRMIOCTLMODECREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory. Currently, the blob data allocation is not accounted to the allocatin...

CVE-2025-71298

In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around madvise Acquire and release the GEM object's reservation lock around calls to the object's madvide operation. The tests use drmgemshmemmadviselocked, which led to errors such as show...

CVE-2025-71301

In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around vmap/vunmap Acquire and release the GEM object's reservation lock around vmap and vunmap operations. The tests use vmaplocked, which led to errors such as show below. 122.292030...

CVE-2026-43320

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dsc eDP issue why Need to add function hook check before use...

CVE-2026-43302

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIGDMAAPIDEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'maxsegsize' is not set. The kernel defaults ...

CVE-2026-43320 drm/amd/display: Fix dsc eDP issue

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dsc eDP issue why Need to add function hook check before use...