HOMEVULNERABILITIESCVE-2026-45878
HIGH

CVE-2026-45878

Published: May 27, 2026· Updated: May 30, 2026

7.8
CVSS v3.1

Official Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

The address watch clear code receives watch_id as an unsigned value

(u32), but some helper functions were using a signed int and checked

bits by shifting with watch_id.

If a very large watch_id is passed from userspace, it can be converted

to a negative value. This can cause invalid shifts and may access

memory outside the watch_points array.

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before

using it. Also use BIT(watch_id) to test and clear bits safely.

This keeps the behavior unchanged for valid watch IDs and avoids

undefined behavior for invalid ones.

Fixes the below:

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448

kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow

'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c

433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,

434 uint32_t watch_id)

435 {

436 int r;

437

438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))

kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if

watch_id is larger than INT_MAX it leads to a buffer overflow.

(Negative shifts are undefined).

439 return -EINVAL;

440

441 if (!pdd->dev->kfd->shared_resources.enable_mes) {

442 r = debug_lock_and_unmap(pdd->dev->dqm);

443 if (r)

444 return r;

445 }

446

447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false);

--> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch(

449 pdd->dev->adev,

450 watch_id);

v2: (as per, Jonathan Kim)

- Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to

match the clear path.

- Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().

NVD Source

Technical Analysis

CVE-2026-45878 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-45878
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45878 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.