CVE-2026-46156
A flaw in the Linux kernel's Loongson GPU driver can cause a system crash when the code attempts to read from an invalid memory address during hardware initialization. The vulnerability occurs in the `loongson_gpu_fixup_dma_hang()` function, which uses incorrect logic to identify and configure GPU devices on certain Loongarch-based systems. When a discrete GPU is present in a non-standard PCI slot configuration, the driver may try to access memory at a random address, triggering a kernel panic. This is a local issue that requires prior system access and affects the stability and availability of affected systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-667
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the "device" is from "base+PCI_DEVICE_ID", "base" is from "pdev->devfn+1". This is wrong when my platform inserts a discrete GPU: lspci -tv -[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller ... +-06.0 Loongson Technology LLC LG100 GPU +-06.2 Loongson Technology LLC Device 7a37 ... Add a default switch case to fix the panic as below: Kernel ade access[#1]: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4 pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0 a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002 a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001 t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000 t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0 t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8 s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000 s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000 ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210 ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000000 (-FPE -SXE -ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1) BADV: 7fffffffffffff00 PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV) Modules linked in: Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____)) Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007 0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff 900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08 0000000000000000 0000000000000000 0000000000000006 90000001002fb778 90000001000530b8 90000000027af000 0000000000000000 9000000100054000 9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001 90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000 0000000000000006 90000000027af000 0000000000000030 90000000027af000 900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560 7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030 ... Call Trace: [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210 [<9000000000eebc08>] pci_fixup_device+0x108/0x280 [<9000000000ebb70c>] pci_setup_device+0x24c/0x690 [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140 [<9000000000ebc684>] pci_scan_slot+0xc4/0x280 [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0 [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420 [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440 [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0 [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280 [<900000000189c028>] acpi_scan_init+0x194/0x310 [<900000000189bc6c>] acpi_init+0xcc/0x140 [<9000000000220cdc>] do_one_initcall+0x4c/0x310 [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4 [<900000000184326c>] kernel_init+0x28/0x13c [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the Loongson GPU fixup code (drivers/gpu/drm/loongson or equivalent) where a switch statement processes GPU device types without a default case. The function constructs a device identifier from `base + PCI_DEVICE_ID`, where `base` derives from `pdev->devfn + 1`. When a discrete GPU is inserted in certain PCI configurations (for example, at slot 06.2 rather than the expected 06.0), the device identifier does not match the expected DC2 or DC3 cases, leaving the switch statement to fall through without handling the mismatch. Subsequent code then calls `readl(crtc_reg)` with an uninitialized or invalid `crtc_reg` value, resulting in an Address Error Exception (ADE). The fix adds a default case to safely handle unexpected device identifiers and prevent the uncontrolled memory access.
Business impact
Systems experiencing this crash lose availability during boot or kernel initialization, requiring manual intervention or reboot. For cloud or data center deployments using Loongarch-based infrastructure, this represents an unplanned downtime risk. Automated deployments that rely on clean kernel initialization will fail when encountering this condition. The impact is limited to availability (no data exposure or integrity compromise), but can cascade into service disruptions if the affected hardware is part of a critical infrastructure or boot sequence.
Affected systems
The vulnerability affects Linux kernels running on Loongarch-based systems equipped with discrete Loongson GPUs, particularly when the GPU occupies non-standard PCI device slots. Systems with the standard GPU configuration (e.g., slot 06.0) may not trigger the condition if the switch statement happens to match a default case, but any platform with discrete GPU variants or custom PCI configurations is at risk. Specific affected products are Linux kernel implementations on Loongarch platforms; verify your kernel version and GPU device configuration against the vendor advisory.
Exploitability
Exploitation requires local access to the affected system and the presence of specific hardware (a discrete Loongson GPU in a non-standard PCI configuration). The vulnerability manifests automatically during driver initialization, with no user interaction needed once the hardware condition exists. An attacker cannot remotely trigger this vulnerability, and it does not enable privilege escalation or code execution—the crash occurs in kernel context but is an unintended denial of service rather than a controlled attack vector. The issue is more accurately classified as a compatibility bug that happens to cause a crash under certain hardware configurations.
Remediation
Apply a kernel update that includes the fix to `loongson_gpu_fixup_dma_hang()`. The patch adds a default case to the switch statement, ensuring that unrecognized GPU device identifiers are safely ignored rather than leading to invalid memory access. Verify the specific patch version in your kernel distribution's advisory. Alternatively, if a kernel update is not immediately available, systems can be temporarily protected by avoiding the hardware configuration that triggers the condition (e.g., ensuring GPUs are in the expected PCI slots) or by disabling GPU hardware acceleration if operationally feasible, pending patched kernel availability.
Patch guidance
Consult the Linux kernel security advisory and your distribution maintainer for the specific patched kernel version. The fix is minimal (adding a switch default case) and low-risk. Apply the update at your next scheduled maintenance window or immediately if affected systems are critical. Test the patched kernel in a staging environment first, particularly on Loongarch platforms with discrete GPU hardware, to confirm the crash no longer occurs during boot.
Detection guidance
Monitor kernel logs for Address Error Exception (ADE) events during PCI device initialization, particularly those mentioning `loongson_gpu_fixup_dma_hang()`. A telltale sign is a panic in early boot with BADV (bad address) values pointing to unmapped memory (e.g., 0x7fffffffffffff00 as shown in the advisory). Check hardware inventory to identify systems running Loongarch with discrete Loongson GPUs. Kernel crash dumps and serial logs should clearly show the function name in the call stack.
Why prioritize this
This is a medium-severity local denial-of-service affecting a specialized hardware platform. Prioritize patching if you operate Loongarch-based systems with discrete Loongson GPUs; the crash prevents system boot in affected configurations. For organizations running mainstream x86/ARM Linux deployments, this is a lower priority. However, given the simplicity of the fix and the severity of the impact on affected systems, consider it a targeted, high-urgency patch for Loongarch users.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector with low privileges required, no user interaction, and high availability impact (kernel crash). There is no confidentiality or integrity impact. The score appropriately weights the denial-of-service nature of the vulnerability, balanced against the requirement for local access and specific hardware conditions that limit the overall attack surface.
Frequently asked questions
Will this vulnerability affect my Linux system?
Only if you are running a Linux kernel on a Loongarch-based processor with a discrete Loongson GPU installed in a non-standard PCI slot configuration. Most mainstream x86 and ARM systems are unaffected. Check your hardware architecture and GPU model; if you are unsure, consult your system vendor's documentation.
What happens when the vulnerability is triggered?
The kernel crashes during PCI device initialization or boot, producing an Address Error Exception and a kernel panic. The system will not boot cleanly and will require a reboot or manual intervention. No data is lost, but the system becomes temporarily unavailable.
Is there a workaround if I cannot patch immediately?
Ensure your discrete GPU is installed in the expected standard PCI slot (typically 06.0 for Loongson systems). If you have flexibility in hardware layout, that may prevent the condition from being triggered. If the GPU cannot be moved, disabling GPU acceleration or using a headless kernel configuration are last-resort workarounds pending a patched kernel.
How critical is this patch for production deployments?
If your production infrastructure relies on Loongarch with discrete Loongson GPUs, this is a critical boot-blocking issue and should be patched immediately. For other platforms, it is a low priority. Loongarch users should treat this as high priority for service continuity.
This analysis is based on the CVE description and publicly available advisory information as of the publication date. The vulnerability is specific to Loongarch-based systems; mainstream x86/ARM deployments are not affected. Verify all patch versions, affected product SKUs, and patch availability against your Linux distribution vendor's official security advisory before applying updates. This explainer does not constitute professional security advice; consult your security team or vendor for guidance specific to your environment. Exploit code is not provided, and this advisory does not enable weaponization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46165MEDIUM
CVE-2026-46165: Linux Kernel Open vSwitch Vport Deadlock Denial of Service
- CVE-2026-46112HIGH
CVE-2026-46112: Linux HNS RDMA Driver Locking Bug Enables Local Privilege Escalation
- CVE-2025-71313MEDIUM
CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUM
CVE-2025-71314: Linux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUM
CVE-2026-10004: Chrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUM
CVE-2026-10018: Integer Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUM
CVE-2026-10912: Chrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUM
CVE-2026-10916: Chrome DevTools UXSS Vulnerability | SEC.co Analysis