Linux Kernel: AMDKFD SDMA Checkpt/Restore Buffer Overflow (CVE-2026-53143)
CVE-2026-53143 Published on June 25, 2026
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
The v11 MQD manager incorrectly assigned the CP-compute variants of
checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions
use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct
v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.
During CRIU checkpoint of an SDMA queue on Navi3x:
- checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,
leaking 1536 bytes of adjacent GTT memory to userspace
During CRIU restore:
- restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,
corrupting 1536 bytes of adjacent GTT memory (often the ring buffer
or neighboring MQDs)
This is a copy-paste regression unique to v11. All other ASIC backends
(cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.
Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly
handle the smaller v11_sdma_mqd structure, matching the pattern used in
other MQD managers.
(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)
Vulnerability Analysis
CVE-2026-53143 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Incorrect Calculation of Buffer Size
The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Products Associated with CVE-2026-53143
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.
Affected Versions
Linux:- Version cc009e613de6560eb499f8bc92c80a737752cb30 and below 16dad1fb0d783a4008de30e32d0038c393de05b1 is affected.
- Version cc009e613de6560eb499f8bc92c80a737752cb30 and below 2c5b66c9b4057b385566940935ebc32f6e6ebfd2 is affected.
- Version cc009e613de6560eb499f8bc92c80a737752cb30 and below d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64 is affected.
- Version cc009e613de6560eb499f8bc92c80a737752cb30 and below d02f05d30f35b036f7cbaf72de634affb5b38ec6 is affected.
- Version cc009e613de6560eb499f8bc92c80a737752cb30 and below 352ea59028ea48a6fff77f19ae28f98f71946a80 is affected.
- Version 5.19 is affected.
- Before 5.19 is unaffected.
- Version 6.6.143, <= 6.6.* is unaffected.
- Version 6.12.94, <= 6.12.* is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.