CVE-2026-53325 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

agp/amd64: Fix broken error propagation in agp_amd64_probe()

A NULL pointer dereference was observed in the AMD64 AGP driver when
running in a virtualized environment (e.g. qemu/kvm) without a physical
AMD northbridge. The crash occurs in amd64_fetch_size() when attempting
to dereference the pointer returned by node_to_amd_nb(0).

The root cause of this crash is broken error propagation in
agp_amd64_probe(): When no AMD northbridges are found, cache_nbs()
correctly returns -ENODEV. However, the probe function erroneously
checks the return value against exactly -1, rather than < 0.

As a result, the hardware absence error is masked, allowing the driver
to improperly proceed with initialization. It eventually calls
agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware
does not exist, node_to_amd_nb(0) returns NULL, leading to a General
Protection Fault (GPF) when accessing its ->misc member.

Fix the issue by correcting the error check in agp_amd64_probe() to
abort properly when cache_nbs() returns any negative error code. This
prevents the driver from erroneously proceeding without hardware, thereby
avoiding the subsequent NULL pointer dereference at its source.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a32073bffc656ca4bde6002b6cf7c1a8e0e22712`	affected	< 53483a9f4ee9eeb18aa866ec16cce79e136987e1
`a32073bffc656ca4bde6002b6cf7c1a8e0e22712`	affected	< 0aa9b27c454c53074cde592eaceb442d30341585
`a32073bffc656ca4bde6002b6cf7c1a8e0e22712`	affected	< cefe535a60a2e00e09f4b2689b0c8ffc6912459a
`a32073bffc656ca4bde6002b6cf7c1a8e0e22712`	affected	< b08472db93b1ccff84a7adec5779d47f0e9d3a30

Linux

affected

Version	Status	Constraints
`2.6.18`	affected	—
`0`	unaffected	< 2.6.18
`6.18.37`	unaffected	≤ 6.18.*
`7.0.14`	unaffected	≤ 7.0.*
`7.1.2`	unaffected	≤ 7.1.*
`7.2-rc1`	unaffected	≤ *

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/0aa9b27c454c53074cde592eaceb442d30341585
https://git.kernel.org/stable/c/53483a9f4ee9eeb18aa866ec16cce79e136987e1
https://git.kernel.org/stable/c/b08472db93b1ccff84a7adec5779d47f0e9d3a30
https://git.kernel.org/stable/c/cefe535a60a2e00e09f4b2689b0c8ffc6912459a

History

Mon, 29 Jun 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: agp/amd64: Fix broken error propagation in agp_amd64_probe() A NULL pointer dereference was observed in the AMD64 AGP driver when running in a virtualized environment (e.g. qemu/kvm) without a physical AMD northbridge. The crash occurs in amd64_fetch_size() when attempting to dereference the pointer returned by node_to_amd_nb(0). The root cause of this crash is broken error propagation in agp_amd64_probe(): When no AMD northbridges are found, cache_nbs() correctly returns -ENODEV. However, the probe function erroneously checks the return value against exactly -1, rather than < 0. As a result, the hardware absence error is masked, allowing the driver to improperly proceed with initialization. It eventually calls agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware does not exist, node_to_amd_nb(0) returns NULL, leading to a General Protection Fault (GPF) when accessing its ->misc member. Fix the issue by correcting the error check in agp_amd64_probe() to abort properly when cache_nbs() returns any negative error code. This prevents the driver from erroneously proceeding without hardware, thereby avoiding the subsequent NULL pointer dereference at its source.
Title		agp/amd64: Fix broken error propagation in agp_amd64_probe()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0aa9b27c454c53074cde592eaceb442d30341585 https://git.kernel.org/stable/c/53483a9f4ee9eeb18aa866ec16cce79e136987e1 https://git.kernel.org/stable/c/b08472db93b1ccff84a7adec5779d47f0e9d3a30 https://git.kernel.org/stable/c/cefe535a60a2e00e09f4b2689b0c8ffc6912459a

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-29T04:53:35.833Z

Updated: 2026-06-29T04:53:35.833Z

Reserved: 2026-06-09T07:44:35.398Z

Link: CVE-2026-53325

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object