Executive Summary
CVE-2026-53325 is a critical vulnerability affecting the Linux kernel’s AMD64 AGP driver (drivers/char/agp/amd64-agp.c). The flaw arises from improper error propagation in the agp_amd64_probe() function, which can result in a NULL pointer dereference and a General Protection Fault (GPF) when the kernel is executed in virtualized environments such as QEMU or KVM without a physical AMD northbridge. This leads to a denial of service condition, potentially impacting the availability of virtualized Linux infrastructure. The vulnerability has been addressed in recent kernel releases, but a broad range of kernel versions remain affected. There is currently no evidence of exploitation in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Technical Information
CVE-2026-53325 is classified as a NULL pointer dereference (CWE-476) within the Linux kernel’s AMD64 AGP driver. The root cause is the failure of the agp_amd64_probe() function to correctly handle error codes returned by the cache_nbs() function. Specifically, when no AMD northbridges are detected, cache_nbs() returns -ENODEV, but the probe function only checks for -1 rather than any negative value. This oversight allows the driver to proceed with initialization even in the absence of required hardware, ultimately leading to a crash in amd64_fetch_size() when it attempts to dereference a NULL pointer.
The vulnerability is most likely to be triggered in virtualized environments where the AMD northbridge hardware is not present. When the kernel is run under QEMU, KVM, or similar virtualization platforms without emulated AMD northbridge support, the faulty error handling path is exercised, resulting in a kernel panic or GPF. The impact is a denial of service, as the affected system will crash and require a reboot, potentially disrupting hosted workloads or services.
The affected code path is present in a wide range of kernel versions, starting from version 2.6.18 up to, but not including, the fixed releases. The vulnerability does not provide an avenue for privilege escalation or remote code execution; its impact is limited to local denial of service through system crash.
Exploitation in the Wild
As of the time of writing, there are no public reports or evidence of active exploitation of CVE-2026-53325 in the wild. The vulnerability is not present in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no proof-of-concept exploit code has been published. The primary risk is accidental or intentional triggering of the bug in virtualized environments lacking AMD northbridge hardware, resulting in a denial of service. There is no indication that this vulnerability is being leveraged by threat actors for targeted attacks or as part of a broader campaign.
APT Groups using this vulnerability
There is no evidence that any Advanced Persistent Threat (APT) groups are exploiting or targeting CVE-2026-53325. Public threat intelligence sources and MITRE ATT&CK mappings do not associate this vulnerability with any known APT activity. The technical nature of the flaw, which results in a denial of service rather than code execution or privilege escalation, further reduces its attractiveness for sophisticated threat actors.
Affected Product Versions
The following Linux kernel versions are affected by CVE-2026-53325:
The vulnerability is present in kernels from version 2.6.18 up to, but not including, the following fixed versions: 6.18.37 and later in the 6.18.x series, 7.0.14 and later in the 7.0.x series, 7.1.2 and later in the 7.1.x series, and 7.2-rc1 and later. The specific affected git commit range is from a32073bffc656ca4bde6002b6cf7c1a8e0e22712 up to, but not including, the following commits: 53483a9f4ee9eeb18aa866ec16cce79e136987e1, 0aa9b27c454c53074cde592eaceb442d30341585, cefe535a60a2e00e09f4b2689b0c8ffc6912459a, and b08472db93b1ccff84a7adec5779d47f0e9d3a30.
Systems running kernel versions prior to 2.6.18 or those updated to the fixed releases are not affected.
Workaround and Mitigation
The primary mitigation for CVE-2026-53325 is to upgrade to a fixed version of the Linux kernel. Administrators should apply the latest stable kernel updates that include the relevant patches. The fixes are available in the following kernel.org commits:
https://git.kernel.org/stable/c/0aa9b27c454c53074cde592eaceb442d30341585 https://git.kernel.org/stable/c/53483a9f4ee9eeb18aa866ec16cce79e136987e1 https://git.kernel.org/stable/c/b08472db93b1ccff84a7adec5779d47f0e9d3a30 https://git.kernel.org/stable/c/cefe535a60a2e00e09f4b2689b0c8ffc6912459a
Organizations operating virtualized Linux environments, particularly those using QEMU or KVM without AMD northbridge emulation, should prioritize patching and monitor for unexpected kernel panics or GPFs referencing amd64_fetch_size() or node_to_amd_nb(0). There are no known effective workarounds other than applying the vendor-supplied patches.
Indicators of Compromise
The following caveat applies: Indicators of compromise are point-in-time and should be validated before enforcement. At the time of writing, no public indicators of compromise (IOCs) specific to exploitation of CVE-2026-53325 are available.
References
https://nvd.nist.gov/vuln/detail/CVE-2026-53325 https://git.kernel.org/stable/c/0aa9b27c454c53074cde592eaceb442d30341585 https://git.kernel.org/stable/c/53483a9f4ee9eeb18aa866ec16cce79e136987e1 https://git.kernel.org/stable/c/b08472db93b1ccff84a7adec5779d47f0e9d3a30 https://git.kernel.org/stable/c/cefe535a60a2e00e09f4b2689b0c8ffc6912459a
Rescana is here for you
Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, automated assessments, and actionable insights to strengthen your cybersecurity posture. We are happy to answer any questions at info@rescana.com.
