CVE-2026-53190
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
In the Linux kernel, a dma_fence refcount leak was found in the virtio-gpu driver. The function virtio_gpu_dma_fence_wait() fails to release the chain reference on early return from the loop on error, causing a memory leak.
Risk Assessment
The reference leak can lead to gradual kernel memory exhaustion, potentially causing system instability or denial of service (DoS) in environments heavily using GPU virtualization.
Recommendation
Immediately apply the Linux kernel patch that adds dma_fence_put(itr.chain) before the early return in virtio_gpu_dma_fence_wait().
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first() which does cursor->chain = dma_fence_get(head), taking an extra reference. On normal loop completion, dma_fence_unwrap_next() releases this via dma_fence_chain_walk() -> dma_fence_put(). When virtio_gpu_do_fence_wait() fails and the function returns early from inside the loop, the cursor->chain reference is never released. This is the only caller in the entire kernel that does an early return inside dma_fence_unwrap_for_each. Add dma_fence_put(itr.chain) before the early return.

