CVE-2026-52987
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
In the Linux kernel, the amdgpu driver has a double call to drm_exec_fini() in the userq validation function. When new_addition is true, exec is finalized first, and then on error from amdgpu_ttm_tt_get_user_pages(), drm_exec_fini() is called again, causing a double free. The issue was found by a static analysis tool and confirmed by code review.
Risk Assessment
Double invocation of drm_exec_fini() can lead to memory corruption, leaks, or system crashes, posing a risk to stability and security in environments with AMD GPUs.
Recommendation
Immediately update the Linux kernel to a version containing commit 2802952e4a07306da6ebe813ff1acacc5691851a or later, which fixes this double call.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drm_exec_fini() in userq validate When new_addition is true, amdgpu_userq_vm_validate() calls drm_exec_fini(&exec) before iterating over the collected HMM ranges and calling amdgpu_ttm_tt_get_user_pages(). If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to unlock_all and calls drm_exec_fini(&exec) a second time on the same exec object. drm_exec_fini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context. Route that error path directly to the range cleanup once exec has already been finalized. Issue found using a prototype static analysis tool and confirmed by code review. (cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)

