CVE-2026-53143: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
The v11 MQD manager incorrectly assigned the CP-compute variants of
checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions
use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct
v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.
During CRIU checkpoint of an SDMA queue on Navi3x:
- checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,
leaking 1536 bytes of adjacent GTT memory to userspace
During CRIU restore:
- restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,
corrupting 1536 bytes of adjacent GTT memory (often the ring buffer
or neighboring MQDs)
This is a copy-paste regression unique to v11. All other ASIC backends
(cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.
Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly
handle the smaller v11_sdma_mqd structure, matching the pattern used in
other MQD managers.
(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)
Security readout for executives and security teams
Plain-English summary
This Linux kernel flaw affects AMD GPU compute queue checkpoint and restore handling on GFX11/Navi3x systems. A local low-privileged user could cause sensitive GPU memory disclosure or memory corruption during CRIU workflows. Business urgency is highest for GPU compute, workstation, VDI, or container platforms using affected kernels and AMD KFD.
Executive priority
Treat as high priority for GPU compute environments, especially shared systems. It is not currently reported as exploited in the provided sources, but the impact can include memory disclosure and corruption from local users.
Technical view
The v11 AMD KFD MQD manager used compute checkpoint/restore handlers for SDMA queues. Those handlers copy 2048 bytes for a 512-byte SDMA MQD, creating a 1536-byte over-read during checkpoint and over-write during restore. The issue is local, high-complexity, low-privilege, and rated CVSS 7.0.
Likely exposure
Exposure appears limited to Linux systems with AMD GFX11/Navi3x GPUs, the amdkfd driver, SDMA queues, and CRIU checkpoint/restore paths. General Linux systems without this AMD GPU/KFD workflow are less likely exposed based on the bundle.
Exploitation context
The bundle marks KEV as false and provides no evidence of active exploitation. Exploitation requires local access and a specific GPU checkpoint/restore scenario, but impact includes confidentiality, integrity, and availability due to adjacent GTT memory disclosure or corruption.
Researcher notes
The root cause is CWE-131: incorrect size use. The regression is described as unique to v11; other ASIC backends reportedly use SDMA-specific handlers. Evidence does not establish remote reachability, generic GPU exposure, or public exploit availability.
Mitigation direction
Apply vendor kernel updates containing the referenced stable fixes.
Prioritize AMD GFX11/Navi3x GPU compute and CRIU-enabled hosts.
Check Red Hat and distribution advisories for supported package status.
Restrict untrusted local access to affected GPU compute hosts where feasible.
Monitor kernel vendor guidance for additional backports or mitigations.
Validation and detection
Inventory Linux hosts with AMD Navi3x or GFX11 GPUs.
Confirm whether amdkfd and CRIU checkpoint/restore workflows are used.
Map running kernel builds against vendor advisory status.
Verify the relevant stable kernel fix is present or backported.
Review GPU compute hosts for unexplained checkpoint/restore failures.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-131: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
9Source links
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.