A Linux kernel vulnerability just hit the National Vulnerability Database, and it has serious implications for anyone running AMD Radeon or Instinct GPUs for compute workloads. CVE-2026-46229, published on May 28, 2026, exposes a flaw in the AMD Kernel Fusion Driver (KFD) that could leak sensitive data from graphics memory. The bug: freshly allocated VRAM buffers get handed to userspace without being wiped clean, giving a process a window into whatever data the GPU was chewing on moments before.

For Windows power users who dabble in AI, dual-boot Linux for machine learning, or run GPU-accelerated workloads under WSL2, this isn't just a distant Linux concern. The vulnerability underscores how the increasingly sophisticated interplay between GPUs and operating systems creates new attack surfaces—ones that demand attention across platforms.

What Is AMD KFD and Why Should You Care?

The AMD Kernel Fusion Driver is not some obscure module. It's the Linux kernel interface that enables user-space compute frameworks to talk directly to AMD GPUs. If you’ve ever run TensorFlow, PyTorch, or any ROCm-based application on a Radeon RX 7000 series or an Instinct MI300X, you’ve leaned on KFD. It handles memory management, queue scheduling, and context switching for compute tasks, bypassing the traditional graphics stack for raw, low-latency access.

KFD is what makes AMD’s ROCm platform possible on Linux. Without it, there’s no way to harness the full parallel processing might of the GPU for scientific simulation, generative AI, or cryptocurrency mining. And because KFD operates at the kernel level, any bug in its memory handling can have system-wide consequences.

The Vulnerability: VRAM Not Zeroed on Allocation

The core of CVE-2026-46229 is deceptively simple: when KFD allocates an amdgpu VRAM buffer on behalf of a user-space process, it fails to clear the memory’s previous contents. In well‑behaved computing, any newly mapped memory should either be zeroed or filled with a known pattern to prevent information leaks. But here, the driver just hands over a raw chunk of physical video memory, complete with residual data from previous GPU tasks.

This means an unprivileged process could request a large VRAM allocation and immediately scan the returned memory for interesting artifacts—other users’ neural network weights, cryptographic keys processed by a GPU-accelerated encryption library, or even fragments of a video frame from a concurrently running application. The leak isn’t theoretical; it’s a classic “missing initialization” bug that gets reliably exploited in CPU memory, now transplanted into the GPU domain.

How the Exploit Works in Practice

An attacker would first need local access to a Linux system with an AMD GPU and the KFD interface enabled. This includes everything from a multi-tenant HPC cluster where users share GPU nodes to a development workstation with multiple containers or sandboxes. The attacker compiles a simple program that uses the KFD syscalls—or a higher‑level library like ROCt—to repeatedly allocate and read back VRAM buffers. No special privileges are required beyond the ability to open the KFD device file (/dev/kfd), which is typically world-readable on many distributions.

The program can then sift through the captured memory for telltale patterns. For example, floating-point numbers stored in IEEE 754 format can be parsed and reconstructed into neural network weight matrices. Private keys used in GPU-accelerated TLS termination stand out as structured binary blobs. Even mundane text or configuration files cached in GPU memory become fair game.

Because GPUs retain data across process boundaries and even across reboots (VRAM is not necessarily scrubbed at power‑off), the leakage window can be wide. A user who logs out doesn’t magically erase their data from the GPU’s memory pool. The next process that allocates that same physical region gets a free peek.

AI Model Theft. Many organizations fine‑tune large language models on‑premises using AMD Instinct accelerators. The model weights often represent intellectual property worth millions. If a co‑tenant on the same physical server can allocate enough VRAM to cover the model’s footprint, they could reconstruct a significant portion of the weights in a matter of minutes.

Cryptographic Key Leakage. GPU‑accelerated cryptography libraries like cuBLAS alternatives or custom ROCm kernels often load secret keys into VRAM for performance. Those keys can be extracted by a monitoring process that constantly allocates and inspects memory, turning a one‑time data leak into a persistent attack.

Privacy Violations in Mixed‑Workload Environments. Cloud providers sometimes oversubscribe GPU resources, running multiple customer workloads on the same physical adapter. Even with virtualized GPUs, the underlying KFD memory manager might serve uncleaned pages to a new VM. This could expose inter‑customer data, violating privacy regulations and trust.

Forensic Data Recovery. Law enforcement or malicious insiders could use this bug to recover deleted files or traces of past user activity, effectively turning the GPU into a persistent storage medium that the OS believes is ephemeral.

Affected Hardware and Software

While the NVD entry doesn’t specify exact kernel versions, the bug affects all Linux kernels where the amdgpu driver with KFD support is enabled. That generally means anything from kernel 4.x onward with AMD GPU support compiled in. Specific GPUs known to use KFD include:

  • Radeon RX 5000 series and newer (RDNA 1, 2, and 3)
  • Radeon Pro W series and Instinct MI series (CDNA 1, 2, and 3)
  • AMD APUs with integrated Radeon graphics (Ryzen with Vega or later iGPUs)

All major Linux distributions shipping a recent kernel (Ubuntu 22.04 and later, Fedora 37+, Arch, openSUSE, and RHEL variants) are potentially vulnerable. Custom kernels built with AMDGPU and AMDGPUKFD options are also at risk. The issue exists at the kernel level, so simply updating ROCm or user-space libraries does not close the hole.

Mitigations and Fixes

AMD has been notified and is expected to release a kernel patch that zeroes VRAM buffers upon allocation in the KFD path. In the meantime, system administrators can take several steps:

  • Disable KFD. If you don’t need GPU compute, blacklist the module or unset AMDGPUKFD in the kernel config and reboot. This cuts off access to ROCm entirely, but for graphic‑only workloads, it’s a safe temporary measure.
  • Restrict /dev/kfd. Change permissions to allow only root or a dedicated video group with limited membership. This prevents unprivileged users from triggering allocations.
  • Enforce Mandatory Access Controls. Use SELinux or AppArmor to confine processes that interact with the KFD device, ensuring that even if a program is compromised, it can’t scan raw memory.
  • Apply the Patch. Once AMD or the kernel community releases a fix, update immediately. The patch will likely be backported to stable kernels (5.15.x, 6.1.x, 6.6.x, etc.) and should trickle down to distribution kernels within days.

For multi‑tenant environments, consider enabling the amdgpu.virtualdisplay and amdgpu.gpurecovery options, though these don’t address the zeroing issue. The only true mitigation is preventing unauthorized access to the KFD interface.

The Windows Angle: Are We Affected?

This CVE is a Linux kernel bug, and the Windows graphics driver architecture is fundamentally different. Windows does not have a direct analogue to the KFD interface; AMD’s compute stack on Windows uses a combination of user-mode drivers (PAL – Platform Abstraction Library) and kernel-mode components that communicate via D3DKMT. Memory allocation for compute on Windows goes through the standard WDDM model, which has its own memory clearing semantics.

However, the vulnerability should give Windows enthusiasts pause for several reasons:

  1. WSL2 with GPU Acceleration. Microsoft’s Windows Subsystem for Linux 2 allows Linux programs to leverage the host GPU through a paravirtualized driver. Under the hood, WSL2’s Linux kernel actually runs a stripped‑down version of the AMDGPU driver, which may include parts of KFD. If a user enables GPU‑accelerated compute in WSL2 and runs a Linux ROCm workload, the vulnerable code could theoretically be exercised—though the hypervisor layer might intercept and sanitize allocations differently. Microsoft and AMD have not yet issued guidance on this scenario.

  2. Shared Codebase. AMD’s GPU driver team develops across platforms, and memory‑handling bugs often have cousins in the Windows driver stack. While no identical CVE has been filed for Windows, it’s wise to stay alert for future disclosures about GPU memory leaks on Windows. The fundamental lesson—that GPU memory isn’t automatically scrubbed between allocations—applies irrespective of the OS.

  3. GPU Security Awareness. As more Windows users adopt DirectML, ONNX Runtime, and other GPU compute frameworks, the attack surface grows. Tools like GPU Caps Viewer or custom Python scripts can already query VRAM contents on Windows. This Linux bug highlights the need for the industry to treat GPU memory with the same security rigor as system RAM.

The Bigger Picture: GPU Memory Is the New Frontier for Vulnerabilities

CVE-2026-46229 is not the first GPU memory leak, and it won’t be the last. Similar issues have plagued NVIDIA’s CUDA driver in the past, and integrated GPUs in mobile SoCs have been caught leaking textures from one app to another. The underlying cause is always the same: performance optimizations lead developers to skip costly zeroing operations, assuming the user‑space application will either overwrite the data immediately or that no sensitive data could possibly reside there.

But modern GPUs are used for far more than rendering games. They hold encryption keys, personal photos during facial recognition indexing, and entire language models worth billions of parameters. The assumption that VRAM is a temporary scratchpad is dangerously outdated.

Standards bodies and silicon vendors are beginning to take note. The Confidential Computing Consortium is exploring GPU attestation and encrypted memory for accelerators. Intel’s upcoming GPUs support SR-IOV with per‑VM memory isolation. AMD itself has been promoting SEV (Secure Encrypted Virtualization) for CPUs; extending similar mechanisms to GPUs could prevent future incarnations of this bug. But until hardware‑enforced isolation becomes ubiquitous, software must shoulder the burden of memory scrubbing.

What the Community Is Saying

Discussion on the Linux kernel security mailing list and among developers on forums like Level1Techs and Phoronix centers on how such a basic oversight slipped through. AMD’s KFD code has been under review for years, yet apparently no automated memory‑sanitizing tool (like Kernel Memory Sanitizer – KMSAN) was run against the allocation paths. Some commenters note that the amdgpu driver’s rapid feature expansion—driven largely by the AI boom—has outpaced its code quality checks.

There’s also debate about whether the clRetainMemObject-style API semantic, where memory is expected to be re‑used without clearing, inadvertently influenced the KFD design. Regardless, the consensus is clear: users should apply the fix the moment it lands and not wait for a convenient update cycle.

How to Check If You’re Vulnerable

You can quickly test if your current kernel is affected. While a full vulnerability assessment requires a non‑production environment, the following pseudo‑check can hint at the problem:

# Check if KFD module is loaded
lsmod | grep amdgpu | grep kfd

If KFD is active, try reading raw VRAM (requires root)

WARNING: This is for demonstration only; don't do this on a production system.

sudo od -A x -t x1z /sys/kernel/debug/dri/0/amdgpuvram

This will dump the first portion of VRAM. If the output contains anything other than zeros (or the standard debug signature), you may be leaking data from previous GPU operations. A properly patched kernel would show only zeros or an error indicating that the debug interface is sanitized.

A more reliable approach is to compile a short test program that uses the KFD API to allocate a buffer and prints its contents. Several such proofs‑of‑concept are expected to appear on GitHub shortly.

The Road Ahead: Patching and Prevention

AMD’s response will likely include not only a code fix but also a kernel configuration option to enforce strict VRAM zeroing at the cost of slight performance overhead. For most users, the performance impact will be negligible—a few microseconds per allocation—but for latency‑sensitive HPC workloads, it might matter. Distributions will have to decide whether to enable zeroing by default or leave it to the administrator.

Looking forward, the security community will push for more rigorous testing of GPU drivers. Fuzzers and sanitizers must be extended to cover DMA and device‑memory mappings. The Linux kernel’s DMA API already offers dmaalloccoherent with zeroing guarantees, but KFD uses its own allocator to squeeze out every bit of speed. That custom allocator needs to be brought into the fold.

For Windows users who love to tinker, the takeaway is clear: keep your GPU drivers up to date, even if you think you only game. The days of treating GPU firmware as a set‑and‑forget component are over. As compute workloads move to the edge and generative AI becomes ubiquitous, the security of your video memory is just as important as the security of your system RAM.