Bug 2486470 (CVE-2026-46311)

Summary: CVE-2026-46311 kernel: drm/amdgpu/userq: fix access to stale wptr mapping
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel. This vulnerability, located in the `drm/amdgpu/userq` component, involves improper handling of memory mappings. A local attacker could potentially exploit a race condition during queue creation, where a memory object is unmapped while another is being assigned to the same address. This could lead to unauthorized access to sensitive memory, potentially resulting in information disclosure or system instability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-08 17:03:42 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/userq: fix access to stale wptr mapping

Use drm_exec to take both locks i.e vm root bo and
wptr_obj bo to access the mapping data properly.

This fixes the security issue of unmap the wptr_obj while
a queue creation is in progress and passing other
bo at same address.

(cherry picked from commit 1fc6c8ab45dbee096469c08c13f6099d57a52d6c)
Comment 1 Keith Grant 2026-06-08 18:19:14 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026060853-CVE-2026-46311-bf08@gregkh/T