HIGH 7.8

CVE-2026-46201: Linux Xe Graphics Driver DMA-Buf Attachment Leak

A memory management flaw exists in the Linux kernel's display driver for Intel Xe graphics. When importing external memory buffers (dma-buf), the kernel fails to properly clean up an attachment if initialization of the buffer object encounters an error. This leaves orphaned kernel resources and can be exploited by a local user to cause denial of service or potentially escalate privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-401
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it. (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46201 is a resource leak vulnerability in xe_gem_prime_import() within the Linux kernel's DRM Xe driver. The function attaches a dma-buf using dma_buf_dynamic_attach(), but when xe_dma_buf_init_obj() fails downstream, the attachment is never detached via dma_buf_detach(). The fix adds explicit detachment in the error path. Notably, a goto-based cleanup pattern cannot be used here because xe_dma_buf_init_obj() already frees the buffer object on failure, making early return necessary to avoid double-free.

Business impact

Systems running vulnerable Linux kernels with Xe graphics drivers face resource exhaustion risks. A local attacker can repeatedly trigger the import failure path to accumulate orphaned dma-buf attachments, eventually degrading system responsiveness or causing kernel memory pressure conditions. In multi-tenant or containerized environments, this could disrupt GPU workloads and affect service availability. The vulnerability requires local access, limiting exposure in cloud infrastructure but posing real risk on desktop and workstation systems.

Affected systems

The Linux kernel is affected. Vulnerability applies to systems using the DRM Xe graphics driver, which supports Intel Arc and compatible GPUs. Specific affected kernel versions are not enumerated in the provided data; consult the official Linux kernel commit history and distribution advisories to determine exact version ranges.

Exploitability

Exploitability is straightforward for local users. The attack requires only the ability to invoke dma-buf import operations, which is typically available to unprivileged processes on systems with GPU access. No special authentication or kernel-level privileges are needed. Repeated calls to xe_gem_prime_import() with malformed or problematic buffer parameters can trigger the failure path and leak attachments, accumulating resource pressure over time.

Remediation

Apply the upstream Linux kernel patch that adds dma_buf_detach() in the error path of xe_gem_prime_import(). The fix is minimal and non-invasive. Verify the specific stable kernel version or distribution patch that includes commit a828eb185aac41800df8eae4b60501ccc0dbbe51 or its equivalent.

Patch guidance

Monitor upstream Linux kernel releases and distribution advisories for Xe driver updates. The fix has been cherry-picked into stable branches; check your distribution's kernel advisories for availability. Verify the patched kernel version against the original commit hash. On Fedora, RHEL, Ubuntu, Debian, and SUSE systems, kernel updates addressing this issue should be available through standard package management. Prioritize systems where GPU virtualization, container runtimes, or multi-user GPU access is enabled.

Detection guidance

Monitor kernel logs for repeated dma-buf attachment failures or GPU memory allocation warnings. In systems with audit enabled, track calls to dma_buf_dynamic_attach() that lack corresponding dma_buf_detach() calls. Dynamic memory profiling tools and kernel memory accounting interfaces can reveal orphaned attachment structures accumulating over time. Consider enabling CONFIG_DEBUG_OBJECTS or similar kernel debug options in test environments to catch resource leaks earlier.

Why prioritize this

With a CVSS score of 7.8 (HIGH) and local attack vector, this vulnerability warrants prompt attention on systems where untrusted local users have GPU access. The resource leak nature means repeated exploitation can degrade availability. However, it is not in CISA's Known Exploited Vulnerabilities catalog, suggesting exploitation in the wild is not yet widespread. Prioritize systems running interactive multi-user workloads or containerized GPU services.

Risk score, explained

The CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H vector reflects local attack vector (AV:L), low attack complexity (AC:L), and low privileges required (PR:L), but confined to the local system (S:U). The HIGH confidentiality, integrity, and availability impacts stem from the potential for kernel memory corruption, resource exhaustion, and denial of service. The absence of KEV status indicates this remains a lower-priority target for coordinated exploitation.

Frequently asked questions

Can a remote attacker exploit this vulnerability?

No. The attack vector is local (AV:L), requiring direct access to the system or the ability to execute code as an unprivileged user on that system. Remote exploitation is not possible.

What GPU models are affected?

The DRM Xe driver supports Intel Arc and compatible discrete GPUs. Systems with integrated Intel GPUs or non-Intel graphics are not affected by this Xe driver flaw, though they may run the same vulnerable kernel version for other reasons.

Is there a workaround if I cannot patch immediately?

Restrict GPU access to trusted users only. Disable GPU passthrough in virtualization environments or container runtimes if not actively needed. Revoke unprivileged user GPU permissions to reduce local attack surface.

How does this differ from other kernel memory leaks?

This is a resource leak in driver-managed objects (dma-buf attachments) rather than general kernel heap memory. It specifically accumulates when GPU import operations fail, making it triggered by application behavior rather than ambient kernel activity.

This analysis is based on publicly available CVE records and kernel commit data as of the publication date. Specific affected kernel versions and distribution patch status should be verified against official advisories from your Linux distribution. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Always test patches in non-production environments before deployment. Organizations should follow their own vulnerability management and risk assessment processes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).