HIGH 7.1

CVE-2026-46230: AMD GPU VCN3 Out-of-Bounds Memory Read on Linux

A boundary-checking flaw in the Linux kernel's AMD GPU video codec driver (VCN3) allows a local user with moderate privileges to read memory beyond allocated buffer boundaries when the driver processes video decoding messages. This out-of-bounds read could expose sensitive kernel memory or crash the system. The vulnerability requires local access and existing user-level permissions to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46230 is an out-of-bounds (OOB) read vulnerability in the drm/amdgpu/vcn3 subsystem of the Linux kernel. The flaw occurs in message parsing logic that fails to validate buffer boundaries before accessing decoding command structures. When a user-space process submits a specially crafted or malformed decoding message, the kernel driver reads past the end of the allocated buffer object (BO), potentially exposing arbitrary kernel memory. The vulnerability is classified as CWE-125 (Out-of-bounds Read).

Business impact

Organizations running GPU-accelerated Linux workloads—particularly those using AMD RDNA or CDNA GPUs for video transcoding, encoding, or machine learning inference—face two primary risks. First, an unprivileged local attacker can extract sensitive data from kernel memory, including cryptographic material, session tokens, or other workload secrets. Second, malformed requests can trigger kernel panics, disrupting service availability. In containerized or multi-tenant environments, this becomes a privilege-escalation and lateral-movement vector, particularly if GPU access is shared across security domains.

Affected systems

The vulnerability affects all Linux distributions and versions that include the vulnerable drm/amdgpu/vcn3 driver code. This includes any system using AMD Radeon RDNA, CDNA, or older GPU generations with integrated VCN (Video Core Next) hardware that has not applied the patched kernel version. Server deployments, workstations, and embedded systems with AMD GPUs are at risk. Verify the specific kernel version and AMD GPU driver revision in your environment against the upstream Linux kernel patch date of 2026-05-28.

Exploitability

Exploitation requires local system access (AV:L) and existing unprivileged user privileges (PR:L), making it a feasible attack vector in shared hosting, containerized, or multi-user environments. No interaction or special conditions are required once the attacker gains a shell on the system (AC:L, UI:N). The attack surface is activated whenever a process submits video decoding workloads to the GPU, a common operation in media servers, browser environments, or AI inference pipelines. However, this is not remotely exploitable and does not affect systems without AMD GPU hardware or with GPUs not in active use.

Remediation

Apply the patched Linux kernel that includes the boundary-checking fix for drm/amdgpu/vcn3 message parsing. Verify against the upstream kernel repository and your distribution's security advisory for the specific kernel version that resolves CVE-2026-46230 (published 2026-05-28). Restrict unprivileged access to GPU device nodes (/dev/dri/render*) via file permissions or access control lists if GPU workloads do not require broad user access. In containerized environments, use restrictive device policies and run containers with minimal GPU capabilities.

Patch guidance

Check your Linux distribution's security bulletins and kernel upgrade channels for the patched version addressing this vulnerability. Major distributions (Red Hat, Debian, Ubuntu, SUSE) typically release kernel security updates within 1–4 weeks of upstream patches. For rolling-release systems, update to the latest stable kernel snapshot dated after 2026-05-28. Verify the drm/amdgpu/vcn3 component changelog in your kernel release notes to confirm the bounds-checking fix is included. Test kernel updates in non-production environments first, especially if GPU acceleration is critical to your workload.

Detection guidance

Monitor system logs (dmesg, kernel audit) for GPU driver errors, invalid memory access warnings, or kernel oops messages tied to amdgpu or vcn3 components. Implement user-space fuzzing or integration tests that send malformed video decoding commands to the GPU and observe for memory access violations or system crashes. On systems with security monitoring (e.g., SELinux, AppArmor), flag any process attempting to exploit GPU driver interfaces with invalid parameters. Network-based detection is not applicable; focus on host-level intrusion detection and kernel crash analysis.

Why prioritize this

This vulnerability merits prompt patching for any organization operating AMD GPUs on Linux, especially in multi-tenant or high-security environments. The CVSS 3.1 score of 7.1 (HIGH) reflects moderate exploitability (local access required) combined with significant impact: confidentiality loss (kernel memory disclosure) and availability impact (potential DoS). While not in active exploitation tracked by CISA as of the published date, the low barrier to entry for local attackers and the prevalence of GPU workloads in modern infrastructure make it a near-term priority. Prioritize systems handling sensitive media processing or running untrusted code in containers.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH severity) reflects: Attack Vector = Local (AV:L) and Attack Complexity = Low (AC:L), meaning any local user can attempt exploitation without special conditions; Privileges Required = Low (PR:L), so no admin access is needed; User Interaction = None (UI:N), indicating no human action is required to trigger the flaw; Scope = Unchanged (S:U); Confidentiality Impact = High (C:H) because kernel memory can be read; Integrity Impact = None (I:N); Availability Impact = High (A:H) because the kernel may crash. The score balances the practical barrier (local-only attack) against the severity of potential harm.

Frequently asked questions

Does this vulnerability affect AMD Radeon graphics cards in consumer PCs?

Yes, if your system runs Linux and uses an AMD Radeon GPU with video decoding capabilities (VCN3), you are affected. Consumer and workstation GPUs are equally vulnerable. Apply the patched kernel to mitigate risk.

Can this be exploited remotely over the network?

No. The vulnerability requires local system access (AV:L) and cannot be triggered remotely. An attacker must have a shell or process running on the affected Linux system to attempt exploitation.

What is the difference between this out-of-bounds read and a typical buffer overflow?

An out-of-bounds read (CWE-125) allows an attacker to read data beyond allocated memory boundaries, typically for information disclosure. This differs from a buffer overflow, which writes data and can lead to code execution. This vulnerability leaks kernel memory but does not enable arbitrary code execution.

If I don't use GPU video decoding, am I still affected?

If your GPU is present in the system but you do not actively submit video decoding workloads, the vulnerability is unlikely to be triggered in normal operation. However, patching remains recommended for defense-in-depth, as containerized or multi-user environments may inadvertently expose GPU interfaces.

This analysis is provided for informational purposes and reflects the vulnerability details as of the publication and modification dates listed. While we have cross-referenced the provided source data, readers should verify patch availability and applicability in their specific environment by consulting upstream Linux kernel repositories, their distribution's security advisories, and AMD's official GPU driver documentation. No exploit code or proof-of-concept is provided. Always test security updates in non-production environments before deployment. SEC.co and its analysts assume no liability for downstream security decisions or unintended consequences of patching actions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).