CVE-2026-46229: Linux KFD VRAM Stale Data Exposure in AMD GPU Compute
A vulnerability in the Linux kernel's AMD KFD (Kernel Fusion Driver) GPU memory management allows stale data from previous GPU memory allocations to remain accessible to new compute tasks. When GPU VRAM is allocated for new workloads, the kernel does not properly clear it, leaving behind fragments of prior page tables and data. Compute kernels can observe this leftover information, which can corrupt GPU-to-GPU communication protocols and cause application crashes, particularly in high-performance computing scenarios involving NVIDIA RCCL P2P transport operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels. The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers. This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an incomplete flag configuration in the KFD VRAM allocation path. While KFD correctly sets AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE to erase data when buffers are freed, it neglects to set AMDGPU_GEM_CREATE_VRAM_CLEARED during initial allocation. This flag, which is consistently applied by the standard GEM ioctl path (amdgpu_gem_create_ioctl and amdgpu_mode_dumb_create), ensures VRAM pages are zeroed before being handed to userspace. Without this flag, newly allocated VRAM retains stale page table entries and other residual kernel data. Compute kernels running under KFD can read these uninitialized values, leading to data disclosure and potential memory corruption in protocol-sensitive operations.
Business impact
Organizations running GPU-accelerated HPC workloads or AI/ML pipelines on AMD hardware may experience unexpected application failures and data integrity issues. RCCL-based multi-GPU communications can fail due to corrupted handshake fields (ptrExchange, head, tail), disrupting distributed training and inference jobs. While the vulnerability does not directly expose user-controlled data across security boundaries, it creates instability in production compute environments and can lead to silent data corruption if applications do not detect protocol violations. The scope is primarily isolated to the affected system, but for large-scale HPC centers or cloud GPU providers, widespread node failures could impact service availability.
Affected systems
Linux systems equipped with AMD Radeon GPUs that use the KFD driver for compute workloads. This includes AMD RDNA and CDNA GPU architectures running Linux kernels with the vulnerable KFD code path. Affected environments typically include HPC clusters, data centers running GPU-accelerated AI workloads, and systems using RCCL for multi-GPU coordination. Consumer systems with AMD discrete GPUs may also be affected if they execute GPGPU compute kernels through KFD, though traditional graphics-only workloads are less likely to trigger the vulnerability. AMD APUs with integrated Radeon graphics used for compute are not typically affected unless actively using KFD compute features.
Exploitability
This vulnerability requires local code execution with unprivileged user privileges to trigger. An attacker must launch a compute kernel through KFD that attempts to read from newly allocated GPU VRAM. No network vector exists; exploitation is limited to authenticated local users or containerized workloads on shared systems. The barrier to exploitation is low—any user with compute access can write a simple GPGPU kernel to probe allocated memory. However, weaponizing the stale data leak for practical attacks depends on whether sensitive kernel state (page table entries, encryption keys, or other secrets) happens to reside in freed VRAM at the time of allocation, making reliability and reproducibility challenges. The primary manifestation is denial of service through application crashes rather than direct privilege escalation or confidentiality breach.
Remediation
The fix involves adding the AMDGPU_GEM_CREATE_VRAM_CLEARED flag to KFD allocation calls, ensuring all GPU VRAM is zero-initialized before use. This aligns KFD behavior with the standard GEM ioctl path and eliminates the stale data exposure. The patch modifies the kernel-side KFD memory allocation logic; no userspace changes or configuration tuning is required. Organizations should prioritize patching on systems running active GPU compute workloads. For environments where KFD is not used or GPU compute is disabled, the risk is minimal.
Patch guidance
Apply the Linux kernel patch that adds VRAM_CLEARED flag initialization to the KFD allocation pathway. Verify against official Linux kernel security advisories and your Linux distribution's kernel security updates for specific version numbers and release schedules. Test patched kernels in a staging environment on GPU-compute-enabled systems to confirm no performance regression or driver instability. For distributions using long-term support kernels (e.g., RHEL, Ubuntu LTS, SLES), monitor vendor advisories for backported patches. GPU driver user-mode libraries (ROCm, AMDGPU Pro) may require corresponding updates; consult AMD's release notes to ensure compatibility. Reboot systems post-kernel-patch to activate the fix.
Detection guidance
Detection of exploitation attempts is difficult without kernel instrumentation, as the vulnerability manifests as application crashes rather than clear security events. Monitor GPU compute job logs for unexplained segmentation faults or RCCL handshake timeouts on multi-GPU systems. Examine kernel logs for KFD-related errors or allocation failures. In high-security environments, enable CONFIG_DEBUG_OBJECTS and memory tagging extensions (MTE) if available to catch uninitialized memory reads. Workload profiling tools can detect abnormal memory access patterns in compute kernels. However, proactive patching is more reliable than detection; this is not a vulnerability where behavioral indicators are reliably logged by default.
Why prioritize this
Although rated CVSS 5.5 (Medium), this vulnerability merits expedited patching in HPC and AI/ML environments because: (1) Impact scope includes data integrity and availability of critical workloads, (2) exploitability is trivial for any local user with compute access, (3) manifestations (crashes, RCCL failures) can cascade across distributed training jobs, and (4) the fix is non-invasive and carries low regression risk. Organizations with light GPU usage or no KFD compute workloads can safely deprioritize. Those running dense GPU clusters or multi-tenant Kubernetes environments with GPU access should prioritize within their standard patch cycle.
Risk score, explained
The CVSS 5.5 reflects local attack vector, low privileges required, high availability impact (denial of service via crash), and no confidentiality or integrity impact under the standard scoring assumptions. However, practical risk is contextual: in isolated single-user GPU systems, impact is low; in shared HPC clusters where GPU access is compartmentalized, a malicious user crashing a job affects their own workload or a shared queue. The lack of KEV consideration and the information-disclosure component (stale kernel memory potentially visible to compute kernels) suggest this was rated conservatively, assuming the exposed data is non-critical. Organizations should adjust priority based on multi-tenancy posture and GPU compute criticality.
Frequently asked questions
Does this vulnerability affect consumer machines with AMD GPUs?
Only if they actively run GPU compute workloads through the KFD driver (typically via ROCm or similar frameworks). Traditional gaming, media playback, and graphics-only applications do not use KFD compute features and are not exposed. Consumer users running inference or AI workloads locally would be affected.
Can this vulnerability be exploited remotely?
No. The attack vector is local only, requiring either unprivileged user shell access or execution within a container on the same GPU-hosting system. There is no network-based exploitation path.
Will patching my kernel break my GPU applications?
The patch adds a memory-clearing operation during allocation, which is transparent to applications and aligns KFD with existing GEM behavior. No code changes to userspace applications are required. However, test in staging on your specific hardware and driver combination before production rollout to verify no driver compatibility issues.
What is RCCL and why does this vulnerability crash it?
RCCL (Radeon Collective Communications Library) is NVIDIA's equivalent for AMD GPUs, used to coordinate multi-GPU operations (e.g., AllReduce). It relies on hand-shake fields in shared GPU memory. Stale non-zero data in these fields breaks the protocol, causing initialization failures. This is specific to multi-GPU compute scenarios.
This analysis is provided for informational purposes and should not be considered a substitute for official vendor advisories or independent security assessment. CVSS score and vulnerability details are derived from published Linux kernel security disclosures. Customers should verify patch availability and compatibility with their specific kernel versions, distributions, and GPU hardware configurations before applying updates. SEC.co makes no guarantee regarding patch release dates, specific version numbers, or deployment timelines. GPU compute workload behavior, multi-tenancy posture, and organizational risk tolerance should inform prioritization decisions. Always test kernel updates in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure