CVE-2026-53140
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in the Linux kernel's DRM V3D driver causes a virtual address (vaddr) mapping leak when processing indirect CSD buffers. If the workgroup count read from the buffer is zero, the v3d_rewrite_csd_job_wg_counts_from_indirect() function exits early without releasing the mappings of both buffers.
Risk Assessment
The memory mapping leak can exhaust system resources, potentially leading to denial of service (DoS) or system instability.
Recommendation
Immediately update the Linux kernel to a version containing the fix that ensures cleanup of mappings even when the workgroup count is zero.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups v3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect buffer and the workgroup buffer and is expected to release them before returning. When any of the workgroup counts read from the buffer is zero, the function bailed out early and skipped the cleanup, leaking the vaddr mappings of both BOs. Jump to the cleanup path instead of returning directly, so the mappings are always dropped.

