CVE-2026-53325 (GCVE-0-2026-53325)
Vulnerability from cvelistv5 – Published: 2026-06-29 04:53 – Updated: 2026-06-29 04:53
VLAI
Title
agp/amd64: Fix broken error propagation in agp_amd64_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
agp/amd64: Fix broken error propagation in agp_amd64_probe()
A NULL pointer dereference was observed in the AMD64 AGP driver when
running in a virtualized environment (e.g. qemu/kvm) without a physical
AMD northbridge. The crash occurs in amd64_fetch_size() when attempting
to dereference the pointer returned by node_to_amd_nb(0).
The root cause of this crash is broken error propagation in
agp_amd64_probe(): When no AMD northbridges are found, cache_nbs()
correctly returns -ENODEV. However, the probe function erroneously
checks the return value against exactly -1, rather than < 0.
As a result, the hardware absence error is masked, allowing the driver
to improperly proceed with initialization. It eventually calls
agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware
does not exist, node_to_amd_nb(0) returns NULL, leading to a General
Protection Fault (GPF) when accessing its ->misc member.
Fix the issue by correcting the error check in agp_amd64_probe() to
abort properly when cache_nbs() returns any negative error code. This
prevents the driver from erroneously proceeding without hardware, thereby
avoiding the subsequent NULL pointer dereference at its source.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a32073bffc656ca4bde6002b6cf7c1a8e0e22712 , < 53483a9f4ee9eeb18aa866ec16cce79e136987e1
(git)
Affected: a32073bffc656ca4bde6002b6cf7c1a8e0e22712 , < 0aa9b27c454c53074cde592eaceb442d30341585 (git) Affected: a32073bffc656ca4bde6002b6cf7c1a8e0e22712 , < cefe535a60a2e00e09f4b2689b0c8ffc6912459a (git) Affected: a32073bffc656ca4bde6002b6cf7c1a8e0e22712 , < b08472db93b1ccff84a7adec5779d47f0e9d3a30 (git) |
|
| Linux | Linux |
Affected:
2.6.18
Unaffected: 0 , < 2.6.18 (semver) Unaffected: 6.18.37 , ≤ 6.18.* (semver) Unaffected: 7.0.14 , ≤ 7.0.* (semver) Unaffected: 7.1.2 , ≤ 7.1.* (semver) Unaffected: 7.2-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/agp/amd64-agp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53483a9f4ee9eeb18aa866ec16cce79e136987e1",
"status": "affected",
"version": "a32073bffc656ca4bde6002b6cf7c1a8e0e22712",
"versionType": "git"
},
{
"lessThan": "0aa9b27c454c53074cde592eaceb442d30341585",
"status": "affected",
"version": "a32073bffc656ca4bde6002b6cf7c1a8e0e22712",
"versionType": "git"
},
{
"lessThan": "cefe535a60a2e00e09f4b2689b0c8ffc6912459a",
"status": "affected",
"version": "a32073bffc656ca4bde6002b6cf7c1a8e0e22712",
"versionType": "git"
},
{
"lessThan": "b08472db93b1ccff84a7adec5779d47f0e9d3a30",
"status": "affected",
"version": "a32073bffc656ca4bde6002b6cf7c1a8e0e22712",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/agp/amd64-agp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.*",
"status": "unaffected",
"version": "7.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.2-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.37",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.14",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.2-rc1",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nagp/amd64: Fix broken error propagation in agp_amd64_probe()\n\nA NULL pointer dereference was observed in the AMD64 AGP driver when\nrunning in a virtualized environment (e.g. qemu/kvm) without a physical\nAMD northbridge. The crash occurs in amd64_fetch_size() when attempting\nto dereference the pointer returned by node_to_amd_nb(0).\n\nThe root cause of this crash is broken error propagation in\nagp_amd64_probe(): When no AMD northbridges are found, cache_nbs()\ncorrectly returns -ENODEV. However, the probe function erroneously\nchecks the return value against exactly -1, rather than \u003c 0.\n\nAs a result, the hardware absence error is masked, allowing the driver\nto improperly proceed with initialization. It eventually calls\nagp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware\ndoes not exist, node_to_amd_nb(0) returns NULL, leading to a General\nProtection Fault (GPF) when accessing its -\u003emisc member.\n\nFix the issue by correcting the error check in agp_amd64_probe() to\nabort properly when cache_nbs() returns any negative error code. This\nprevents the driver from erroneously proceeding without hardware, thereby\navoiding the subsequent NULL pointer dereference at its source."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T04:53:35.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53483a9f4ee9eeb18aa866ec16cce79e136987e1"
},
{
"url": "https://git.kernel.org/stable/c/0aa9b27c454c53074cde592eaceb442d30341585"
},
{
"url": "https://git.kernel.org/stable/c/cefe535a60a2e00e09f4b2689b0c8ffc6912459a"
},
{
"url": "https://git.kernel.org/stable/c/b08472db93b1ccff84a7adec5779d47f0e9d3a30"
}
],
"title": "agp/amd64: Fix broken error propagation in agp_amd64_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53325",
"datePublished": "2026-06-29T04:53:35.833Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-06-29T04:53:35.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53325",
"date": "2026-07-03",
"epss": "0.00175",
"percentile": "0.07179"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-53325\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-29T06:16:33.167\",\"lastModified\":\"2026-06-30T14:44:27.313\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nagp/amd64: Fix broken error propagation in agp_amd64_probe()\\n\\nA NULL pointer dereference was observed in the AMD64 AGP driver when\\nrunning in a virtualized environment (e.g. qemu/kvm) without a physical\\nAMD northbridge. The crash occurs in amd64_fetch_size() when attempting\\nto dereference the pointer returned by node_to_amd_nb(0).\\n\\nThe root cause of this crash is broken error propagation in\\nagp_amd64_probe(): When no AMD northbridges are found, cache_nbs()\\ncorrectly returns -ENODEV. However, the probe function erroneously\\nchecks the return value against exactly -1, rather than \u003c 0.\\n\\nAs a result, the hardware absence error is masked, allowing the driver\\nto improperly proceed with initialization. It eventually calls\\nagp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware\\ndoes not exist, node_to_amd_nb(0) returns NULL, leading to a General\\nProtection Fault (GPF) when accessing its -\u003emisc member.\\n\\nFix the issue by correcting the error check in agp_amd64_probe() to\\nabort properly when cache_nbs() returns any negative error code. This\\nprevents the driver from erroneously proceeding without hardware, thereby\\navoiding the subsequent NULL pointer dereference at its source.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"drivers/char/agp/amd64-agp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"a32073bffc656ca4bde6002b6cf7c1a8e0e22712\",\"lessThan\":\"53483a9f4ee9eeb18aa866ec16cce79e136987e1\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"a32073bffc656ca4bde6002b6cf7c1a8e0e22712\",\"lessThan\":\"0aa9b27c454c53074cde592eaceb442d30341585\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"a32073bffc656ca4bde6002b6cf7c1a8e0e22712\",\"lessThan\":\"cefe535a60a2e00e09f4b2689b0c8ffc6912459a\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"a32073bffc656ca4bde6002b6cf7c1a8e0e22712\",\"lessThan\":\"b08472db93b1ccff84a7adec5779d47f0e9d3a30\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"drivers/char/agp/amd64-agp.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"2.6.18\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"2.6.18\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.37\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.14\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1.2\",\"lessThanOrEqual\":\"7.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.2-rc1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0aa9b27c454c53074cde592eaceb442d30341585\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/53483a9f4ee9eeb18aa866ec16cce79e136987e1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b08472db93b1ccff84a7adec5779d47f0e9d3a30\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cefe535a60a2e00e09f4b2689b0c8ffc6912459a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…