{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43169","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.990Z","datePublished":"2026-05-06T11:27:45.356Z","dateUpdated":"2026-05-11T22:19:07.323Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:19:07.323Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/buddy: Prevent BUG_ON by validating rounded allocation\n\nWhen DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is\nrounded up to the next power-of-two via roundup_pow_of_two().\nSimilarly, for non-contiguous allocations with large min_block_size,\nthe size is aligned up via round_up(). Both operations can produce a\nrounded size that exceeds mm->size, which later triggers\nBUG_ON(order > mm->max_order).\n\nExample scenarios:\n- 9G CONTIGUOUS allocation on 10G VRAM memory:\n  roundup_pow_of_two(9G) = 16G > 10G\n- 9G allocation with 8G min_block_size on 10G VRAM memory:\n  round_up(9G, 8G) = 16G > 10G\n\nFix this by checking the rounded size against mm->size. For\nnon-contiguous or range allocations where size > mm->size is invalid,\nreturn -EINVAL immediately. For contiguous allocations without range\nrestrictions, allow the request to fall through to the existing\n__alloc_contig_try_harder() fallback.\n\nThis ensures invalid user input returns an error or uses the fallback\npath instead of hitting BUG_ON.\n\nv2: (Matt A)\n- Add Fixes, Cc stable, and Closes tags for context"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/drm_buddy.c"],"versions":[{"version":"0a1844bf0b532d84324453374ad6845f64066c28","lessThan":"d764b8dd420098a4d253b8a5b27568c897edb2cf","status":"affected","versionType":"git"},{"version":"0a1844bf0b532d84324453374ad6845f64066c28","lessThan":"6236c1cd9fdf433d39ed28b2491ccdfe7ae95061","status":"affected","versionType":"git"},{"version":"0a1844bf0b532d84324453374ad6845f64066c28","lessThan":"ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727","status":"affected","versionType":"git"},{"version":"0a1844bf0b532d84324453374ad6845f64066c28","lessThan":"5488a29596cdba93a60a79398dc9b69d5bdadf92","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/drm_buddy.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d764b8dd420098a4d253b8a5b27568c897edb2cf"},{"url":"https://git.kernel.org/stable/c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061"},{"url":"https://git.kernel.org/stable/c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727"},{"url":"https://git.kernel.org/stable/c/5488a29596cdba93a60a79398dc9b69d5bdadf92"}],"title":"drm/buddy: Prevent BUG_ON by validating rounded allocation","x_generator":{"engine":"bippy-1.2.0"}}}}