What is GHSA-4753-mhw2-5g7r?

GHSA-4753-mhw2-5g7r is a security advisory published by GitHub Security Advisories with High severity. In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id...

Which CVE IDs does GHSA-4753-mhw2-5g7r cover?

GHSA-4753-mhw2-5g7r covers the following CVE IDs: CVE-2026-45878. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-4753-mhw2-5g7r?

GHSA-4753-mhw2-5g7r has a CVSS v3 base score of 7.8, published by GitHub Security Advisories.

GHSA-4753-mhw2-5g7rHighCVSS 7.8

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 30, 2026

🔗 CVE IDs covered (1)

CVE-2026-45878 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

The address watch clear code receives watch_id as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watch_id.

If a very large watch_id is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watch_points array.

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before using it. Also use BIT(watch_id) to test and clear bits safely.

This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones.

Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448 kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow 'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd, 434 uint32_t watch_id) 435 { 436 int r; 437 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))

kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if watch_id is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined).

439                 return -EINVAL;
440
441         if (!pdd->dev->kfd->shared_resources.enable_mes) {
442                 r = debug_lock_and_unmap(pdd->dev->dqm);
443                 if (r)
444                         return r;
445         }
446
447         amdgpu_gfx_off_ctrl(pdd->dev->adev, false);

--> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch( 449 pdd->dev->adev, 450 watch_id);

v2: (as per, Jonathan Kim)

Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to match the clear path.
Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().

🔗 CVE IDs covered (1)

📋 Description

🔗 References (7)