CVE-2026-53139 Affecting linux-qemu-melange package, versions <6.18.38-r0


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.12% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-LINUXQEMUMELANGE-17940322
  • published11 Jul 2026
  • disclosed25 Jun 2026

Introduced: 25 Jun 2026

NewCVE-2026-53139  (opens in a new tab)

How to fix?

Upgrade Chainguard linux-qemu-melange to version 6.18.38-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream linux-qemu-melange package and not the linux-qemu-melange package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Skip CSD when it has zeroed workgroups

A compute shader dispatch encodes its workgroup counts in the CFG0..CFG2 registers. Kicking off a dispatch with a zero count in any of the three dimensions is invalid. First, the hardware will process 0 as 65536, while the user-space driver exposes a maximum of 65535. Over that, a submission with a zeroed workgroup dimension should be a no-op.

These zeroed counts can reach the dispatch path through an indirect CSD job, whose workgroup counts are only known once the indirect buffer is read and may legitimately be zero, but such scenario should only result in a no-op.

Overwrite the indirect CSD job workgroup counts with the indirect BO ones, even if they are zeroed, and don't submit the job to the hardware when any of the workgroup counts is zero, so the job completes immediately instead of running the shader.

CVSS Base Scores

version 3.1