{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm\/amdkfd: Fix watch_id bounds checking in debug address watch v2\\n\\nThe address watch clear code receives watch_id as an unsigned value\\n(u32), but some helper functions were using a signed int and checked\\nbits by shifting with watch_id.\\n\\nIf a very large watch_id is passed from userspace, it can be converted\\nto a negative value. This can cause invalid shifts and may access\\nmemory outside the watch_points array.\\n\\ndrm\/amdkfd: Fix watch_id bounds checking in debug address watch v2\\n\\nFix this by checking that watch_id is within MAX_WATCH_ADDRESSES before\\nusing it. Also use BIT(watch_id) to test and clear bits safely.\\n\\nThis keeps the behavior unchanged for valid watch IDs and avoids\\nundefined behavior for invalid ones.\\n\\nFixes the below:\\ndrivers\/gpu\/drm\/amd\/amdgpu\/..\/amdkfd\/kfd_debug.c:448\\nkfd_dbg_trap_clear_dev_address_watch() error: buffer overflow\\n’pdd-\\u003ewatch_points’ 4 \\u003c= u32max user_rl=’0-3,2147483648-u32max’ uncapped\\n\\ndrivers\/gpu\/drm\/amd\/amdgpu\/..\/amdkfd\/kfd_debug.c\\n 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,\\n 434 uint32_t watch_id)\\n 435 {\\n 436 int r;\\n 437\\n 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))\\n\\nkfd_dbg_owns_dev_watch_id() doesn’t check for negative values so if\\nwatch_id is larger than INT_MAX it leads to a buffer overflow.\\n(Negative shifts are undefined).\\n\\n 439 return -EINVAL;\\n 440\\n 441 if (!pdd-\\u003edev-\\u003ekfd-\\u003eshared_resources.enable_mes) {\\n 442 r = debug_lock_and_unmap(pdd-\\u003edev-\\u003edqm);\\n 443 if (r)\\n 444 return r;\\n 445 }\\n 446\\n 447 amdgpu_gfx_off_ctrl(pdd-\\u003edev-\\u003eadev, false);\\n–\\u003e 448 pdd-\\u003ewatch_points[watch_id] = pdd-\\u003edev-\\u003ekfd2kgd-\\u003eclear_address_watch(\\n 449 pdd-\\u003edev-\\u003eadev,\\n 450 watch_id);\\n\\nv2: (as per, Jonathan Kim)\\n – Add early watch_id \\u003e= MAX_WATCH_ADDRESSES validation in the set path to\\n match the clear path.\\n – Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().”,”published”:”2026-05-27T12:16:49.108Z”,”modified”:”2026-05-30T10:45:44.269Z”,”type”:”cve”,”title”:”drm\/amdkfd: Fix watch_id bounds checking in debug address watch v2″,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/971bf8e61e9b4abaacf9b35eaf76ec222758f9d6\\nhttps:\/\/git.kernel.org\/stable\/c\/a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488\\nhttps:\/\/git.kernel.org\/stable\/c\/2b36c0c1bcbbe15f6cfa9652084b3124c835a150\\nhttps:\/\/git.kernel.org\/stable\/c\/3c38a0f07aa2bfef2b219b1f045534ad93f85afd\\nhttps:\/\/git.kernel.org\/stable\/c\/5a19302cab5cec7ae7f1a60c619951e6c17d8742″,”id”:”CVE-2026-45878″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\\nLinux Linux 6.5″,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”e0f85f4690d089cc1a60337decafb1acf7eec45e”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm\/amdkfd: Fix watch_id bounds checking in debug address watch v2\\n\\nThe address watch clear code receives watch_id…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,28,12,15,13,7,11,5],"class_list":["post-58542","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n