{"api_version":"1","generated_at":"2026-07-04T18:20:05+00:00","cve":"CVE-2026-53139","urls":{"html":"https://cve.report/CVE-2026-53139","api":"https://cve.report/api/cve/CVE-2026-53139.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53139","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53139"},"summary":{"title":"drm/v3d: Skip CSD when it has zeroed workgroups","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Skip CSD when it has zeroed workgroups\n\nA compute shader dispatch encodes its workgroup counts in the CFG0..CFG2\nregisters. Kicking off a dispatch with a zero count in any of the three\ndimensions is invalid. First, the hardware will process 0 as 65536,\nwhile the user-space driver exposes a maximum of 65535. Over that, a\nsubmission with a zeroed workgroup dimension should be a no-op.\n\nThese zeroed counts can reach the dispatch path through an indirect CSD\njob, whose workgroup counts are only known once the indirect buffer is\nread and may legitimately be zero, but such scenario should only result in\na no-op.\n\nOverwrite the indirect CSD job workgroup counts with the indirect BO\nones, even if they are zeroed, and don't submit the job to the hardware\nwhen any of the workgroup counts is zero, so the job completes immediately\ninstead of running the shader.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:31","updated_at":"2026-07-04 12:16:59"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/abb069fdf51a9ddabcc1ed125dafe54e2089900b","name":"https://git.kernel.org/stable/c/abb069fdf51a9ddabcc1ed125dafe54e2089900b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ad166139d123dc162e8636f0c7962516d04074e1","name":"https://git.kernel.org/stable/c/ad166139d123dc162e8636f0c7962516d04074e1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9655b56b6de918e1c22b92f3880ae41b052cbd00","name":"https://git.kernel.org/stable/c/9655b56b6de918e1c22b92f3880ae41b052cbd00","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/11e6432836394e00d39e468cd514f9ddb66f1e49","name":"https://git.kernel.org/stable/c/11e6432836394e00d39e468cd514f9ddb66f1e49","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7f93fad5ea0affc9e1505dd0f7596c0fdb496213","name":"https://git.kernel.org/stable/c/7f93fad5ea0affc9e1505dd0f7596c0fdb496213","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b3a8dd72b0d008ff142880b4dbe5ca37dcf962b4","name":"https://git.kernel.org/stable/c/b3a8dd72b0d008ff142880b4dbe5ca37dcf962b4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8b51c5406ad748c3d5575b66b6009b5dbbc08b80","name":"https://git.kernel.org/stable/c/8b51c5406ad748c3d5575b66b6009b5dbbc08b80","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53139","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53139","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d223f98f02099b002903b9b22b56febae16ef80d b3a8dd72b0d008ff142880b4dbe5ca37dcf962b4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d223f98f02099b002903b9b22b56febae16ef80d 8b51c5406ad748c3d5575b66b6009b5dbbc08b80 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d223f98f02099b002903b9b22b56febae16ef80d abb069fdf51a9ddabcc1ed125dafe54e2089900b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d223f98f02099b002903b9b22b56febae16ef80d ad166139d123dc162e8636f0c7962516d04074e1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d223f98f02099b002903b9b22b56febae16ef80d 9655b56b6de918e1c22b92f3880ae41b052cbd00 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d223f98f02099b002903b9b22b56febae16ef80d 11e6432836394e00d39e468cd514f9ddb66f1e49 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d223f98f02099b002903b9b22b56febae16ef80d 7f93fad5ea0affc9e1505dd0f7596c0fdb496213 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.3","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.3 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.211 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.177 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.144 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.95 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53139","cve":"CVE-2026-53139","epss":"0.001660000","percentile":"0.061410000","score_date":"2026-07-03","updated_at":"2026-07-04 00:02:19"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/gpu/drm/v3d/v3d_sched.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"b3a8dd72b0d008ff142880b4dbe5ca37dcf962b4","status":"affected","version":"d223f98f02099b002903b9b22b56febae16ef80d","versionType":"git"},{"lessThan":"8b51c5406ad748c3d5575b66b6009b5dbbc08b80","status":"affected","version":"d223f98f02099b002903b9b22b56febae16ef80d","versionType":"git"},{"lessThan":"abb069fdf51a9ddabcc1ed125dafe54e2089900b","status":"affected","version":"d223f98f02099b002903b9b22b56febae16ef80d","versionType":"git"},{"lessThan":"ad166139d123dc162e8636f0c7962516d04074e1","status":"affected","version":"d223f98f02099b002903b9b22b56febae16ef80d","versionType":"git"},{"lessThan":"9655b56b6de918e1c22b92f3880ae41b052cbd00","status":"affected","version":"d223f98f02099b002903b9b22b56febae16ef80d","versionType":"git"},{"lessThan":"11e6432836394e00d39e468cd514f9ddb66f1e49","status":"affected","version":"d223f98f02099b002903b9b22b56febae16ef80d","versionType":"git"},{"lessThan":"7f93fad5ea0affc9e1505dd0f7596c0fdb496213","status":"affected","version":"d223f98f02099b002903b9b22b56febae16ef80d","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/gpu/drm/v3d/v3d_sched.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.3"},{"lessThan":"5.3","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.211","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.177","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.144","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.95","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.211","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.177","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.144","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.95","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.3","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Skip CSD when it has zeroed workgroups\n\nA compute shader dispatch encodes its workgroup counts in the CFG0..CFG2\nregisters. Kicking off a dispatch with a zero count in any of the three\ndimensions is invalid. First, the hardware will process 0 as 65536,\nwhile the user-space driver exposes a maximum of 65535. Over that, a\nsubmission with a zeroed workgroup dimension should be a no-op.\n\nThese zeroed counts can reach the dispatch path through an indirect CSD\njob, whose workgroup counts are only known once the indirect buffer is\nread and may legitimately be zero, but such scenario should only result in\na no-op.\n\nOverwrite the indirect CSD job workgroup counts with the indirect BO\nones, even if they are zeroed, and don't submit the job to the hardware\nwhen any of the workgroup counts is zero, so the job completes immediately\ninstead of running the shader."}],"providerMetadata":{"dateUpdated":"2026-07-04T11:50:52.146Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/b3a8dd72b0d008ff142880b4dbe5ca37dcf962b4"},{"url":"https://git.kernel.org/stable/c/8b51c5406ad748c3d5575b66b6009b5dbbc08b80"},{"url":"https://git.kernel.org/stable/c/abb069fdf51a9ddabcc1ed125dafe54e2089900b"},{"url":"https://git.kernel.org/stable/c/ad166139d123dc162e8636f0c7962516d04074e1"},{"url":"https://git.kernel.org/stable/c/9655b56b6de918e1c22b92f3880ae41b052cbd00"},{"url":"https://git.kernel.org/stable/c/11e6432836394e00d39e468cd514f9ddb66f1e49"},{"url":"https://git.kernel.org/stable/c/7f93fad5ea0affc9e1505dd0f7596c0fdb496213"}],"title":"drm/v3d: Skip CSD when it has zeroed workgroups","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53139","datePublished":"2026-06-25T08:38:27.738Z","dateReserved":"2026-06-09T07:44:35.387Z","dateUpdated":"2026-07-04T11:50:52.146Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:31","lastModifiedDate":"2026-07-04 12:16:59","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53139","Ordinal":"1","Title":"drm/v3d: Skip CSD when it has zeroed workgroups","CVE":"CVE-2026-53139","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53139","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Skip CSD when it has zeroed workgroups\n\nA compute shader dispatch encodes its workgroup counts in the CFG0..CFG2\nregisters. Kicking off a dispatch with a zero count in any of the three\ndimensions is invalid. First, the hardware will process 0 as 65536,\nwhile the user-space driver exposes a maximum of 65535. Over that, a\nsubmission with a zeroed workgroup dimension should be a no-op.\n\nThese zeroed counts can reach the dispatch path through an indirect CSD\njob, whose workgroup counts are only known once the indirect buffer is\nread and may legitimately be zero, but such scenario should only result in\na no-op.\n\nOverwrite the indirect CSD job workgroup counts with the indirect BO\nones, even if they are zeroed, and don't submit the job to the hardware\nwhen any of the workgroup counts is zero, so the job completes immediately\ninstead of running the shader.","Type":"Description","Title":"drm/v3d: Skip CSD when it has zeroed workgroups"}]}}}