LiveActive security incident?Get immediate response
CVE Record

CVE-2026-53143: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 The v11 MQD manager incorrectly assigned the CP-compute variants of checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow. During CRIU checkpoint of an SDMA queue on Navi3x: - checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer, leaking 1536 bytes of adjacent GTT memory to userspace During CRIU restore: - restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer, corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs) This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants. Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly handle the smaller v11_sdma_mqd structure, matching the pattern used in other MQD managers. (cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)

HighCVSS 7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This Linux kernel flaw affects AMD GPU compute queue checkpoint and restore handling on GFX11/Navi3x systems. A local low-privileged user could cause sensitive GPU memory disclosure or memory corruption during CRIU workflows. Business urgency is highest for GPU compute, workstation, VDI, or container platforms using affected kernels and AMD KFD.

Executive priority

Treat as high priority for GPU compute environments, especially shared systems. It is not currently reported as exploited in the provided sources, but the impact can include memory disclosure and corruption from local users.

Technical view

The v11 AMD KFD MQD manager used compute checkpoint/restore handlers for SDMA queues. Those handlers copy 2048 bytes for a 512-byte SDMA MQD, creating a 1536-byte over-read during checkpoint and over-write during restore. The issue is local, high-complexity, low-privilege, and rated CVSS 7.0.

Likely exposure

Exposure appears limited to Linux systems with AMD GFX11/Navi3x GPUs, the amdkfd driver, SDMA queues, and CRIU checkpoint/restore paths. General Linux systems without this AMD GPU/KFD workflow are less likely exposed based on the bundle.

Exploitation context

The bundle marks KEV as false and provides no evidence of active exploitation. Exploitation requires local access and a specific GPU checkpoint/restore scenario, but impact includes confidentiality, integrity, and availability due to adjacent GTT memory disclosure or corruption.

Researcher notes

The root cause is CWE-131: incorrect size use. The regression is described as unique to v11; other ASIC backends reportedly use SDMA-specific handlers. Evidence does not establish remote reachability, generic GPU exposure, or public exploit availability.

Mitigation direction

  • Apply vendor kernel updates containing the referenced stable fixes.
  • Prioritize AMD GFX11/Navi3x GPU compute and CRIU-enabled hosts.
  • Check Red Hat and distribution advisories for supported package status.
  • Restrict untrusted local access to affected GPU compute hosts where feasible.
  • Monitor kernel vendor guidance for additional backports or mitigations.

Validation and detection

  • Inventory Linux hosts with AMD Navi3x or GFX11 GPUs.
  • Confirm whether amdkfd and CRIU checkpoint/restore workflows are used.
  • Map running kernel builds against vendor advisory status.
  • Verify the relevant stable kernel fix is present or backported.
  • Review GPU compute hosts for unexplained checkpoint/restore failures.
Prepared
Confidence
high
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-131: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-53143 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
9Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7CVSS 3.1HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H15.9redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7High
CVSS 3.1 vector shape for CVE-2026-53143Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Reported to Red Hat.

  3. ADP timelineredhat-SADP

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

redhat-SADPkernel: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
other:Red Hat severity ratingcvssV3_1
  • 2026-06-25T00:00:00.000Z: Reported to Red Hat.
  • 2026-06-25T00:00:00.000Z: Made public.
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxcc009e613de6560eb499f8bc92c80a737752cb30, cc009e613de6560eb499f8bc92c80a737752cb30, cc009e613de6560eb499f8bc92c80a737752cb30, cc009e613de6560eb499f8bc92c80a737752cb30, cc009e613de6560eb499f8bc92c80a737752cb30unaffected
LinuxLinux5.19, 0, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.