MEDIUM 5.5

CVE-2026-46224: Linux Xe DRM Memory Leak DoS Vulnerability – Patch Guidance

A memory leak vulnerability exists in the Linux kernel's DRM (Direct Rendering Manager) Xe driver. When the driver attempts to initialize a DMA buffer object and encounters an allocation failure, it fails to properly clean up a pre-allocated buffer object, causing it to leak into memory. The vulnerability requires local system access and affects the kernel's ability to manage GPU memory correctly. While this is not a critical security issue, it can lead to denial of service through memory exhaustion over time.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-401
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46224 is a resource management flaw in xe_dma_buf_init_obj() within the Xe DRM driver (drivers/gpu/drm/xe/). When drm_gpuvm_resv_object_alloc() fails during DMA buffer initialization, the function returns an error without freeing the pre-allocated storage buffer object (storage bo). Since xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on its own error paths, the calling function xe_gem_prime_import() cannot reliably determine ownership semantics and safely decide whether to free the buffer. The fix adds an explicit xe_bo_free(storage) call before error return paths and clarifies ownership documentation: on success, storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.

Business impact

This vulnerability enables a local, unprivileged user to trigger memory leaks in the kernel's GPU memory management subsystem. By repeatedly triggering allocation failures in the Xe DMA buffer initialization path, an attacker could gradually exhaust system memory, eventually causing system instability or denial of service. The impact is limited by the requirement for local system access and non-root privileges. For organizations running GPU-accelerated workloads on vulnerable Linux systems (especially in shared multi-tenant environments or when untrusted users have shell access), this represents a denial-of-service risk rather than data breach or privilege escalation.

Affected systems

The vulnerability affects all Linux kernel versions that include the Xe DRM driver code with the unfixed xe_dma_buf_init_obj() function. This primarily impacts systems using Intel Arc GPUs on Linux, where the Xe driver is required. The affected code path is activated when user-space applications request DMA buffer import operations. Systems using other GPU drivers (NVIDIA, AMD) are not affected; only systems with Xe DRM driver are vulnerable.

Exploitability

This vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM) with attack vector Local, Attack Complexity Low, Privilege Requirements Low, and User Interaction None. Exploitation requires an unprivileged local user account on the target system. An attacker would need to repeatedly invoke DMA buffer operations that trigger the allocation failure path. The low complexity and lack of user interaction requirement make this relatively straightforward to trigger, though the impact (memory exhaustion) may take time to manifest depending on system memory size and workload patterns. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Apply the kernel patch that adds the missing xe_bo_free(storage) call in xe_dma_buf_init_obj() error paths (cherry-picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9). This fix ensures proper memory cleanup on allocation failure and clarifies ownership semantics between xe_dma_buf_init_obj() and its caller. Verify the patch version against your Linux distribution's security advisory or kernel.org for the specific kernel version you are running.

Patch guidance

Obtain the patch through your Linux distribution's security update mechanism (e.g., apt, yum, dnf, zypper) or from kernel.org. The fix is minimal and surgical, adding xe_bo_free(storage) calls and clarifying comments—low risk of regression. Patch and reboot at your earliest maintenance window; kernel memory leaks can compound over time. Verify the patched kernel includes commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9 in the Xe driver code. Test GPU workloads after patching to confirm normal operation.

Detection guidance

Monitor kernel memory usage and GPU memory allocation patterns for unexplained growth, particularly on systems where untrusted users have shell access or GPU access. Kernel dmesg logs may show signs of memory pressure or OOM (Out of Memory) events if the leak is triggered repeatedly. If possible, enable audit logging on DMA buffer operations. Detection is challenging at the application level; kernel-level monitoring or memory accounting tools (e.g., memusage, memory cgroups) are more effective. Check /proc/meminfo and GPU memory counters for sustained increases without corresponding workload growth.

Why prioritize this

This medium-severity vulnerability should be prioritized for patching because it enables local denial of service in environments where untrusted users have system access, particularly in multi-tenant GPU compute clusters or shared development systems. While not as critical as remote code execution vulnerabilities, memory exhaustion attacks are difficult for users to distinguish from legitimate resource contention and can silently degrade system reliability. Organizations running Xe GPU drivers should patch within one or two maintenance cycles; others are unaffected and can defer.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects the attack complexity (low), local attack vector, requirement for low privileges, and availability impact (high). The score does not include confidentiality or integrity impact, as this is purely a denial-of-service through resource exhaustion. The score appropriately reflects medium risk: this is not a privilege escalation or remote attack, but it does enable a credible local DoS attack that could disrupt GPU-accelerated services.

Frequently asked questions

Who is affected by this vulnerability?

Organizations and users running the Linux kernel with the Xe DRM driver enabled, particularly those with Intel Arc GPUs. Multi-tenant environments, shared GPU clusters, and systems where untrusted or unprivileged users have local shell access are at higher risk. Single-user systems or those with only trusted user access have lower practical risk.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access with a user-level account. It cannot be exploited remotely over the network. An attacker must already have a local login or shell account on the target system.

What is the difference between this vulnerability and a typical memory leak?

This is a kernel-level memory leak triggered by allocation failures in GPU driver code. While application-level memory leaks are confined to a single process, a kernel memory leak cannot be reclaimed by process termination and accumulates across the entire system, making it a denial-of-service vector when repeatedly triggered.

Do I need to reboot after applying the patch?

Yes, a kernel update requires a reboot to take effect. Plan the reboot during a maintenance window. Memory leaks in the GPU driver will accumulate until the kernel is updated and restarted.

This vulnerability analysis is provided for informational purposes by SEC.co. Patch version numbers, affected product versions, and vendor advisory details should be verified against official Linux distribution security advisories and kernel.org before deploying patches. The attack scenarios described are representative but not exhaustive. Organizations should conduct their own risk assessment based on their specific GPU driver usage, user access model, and workload criticality. Always test patches in a non-production environment before deployment. SEC.co does not provide exploit code or step-by-step attack instructions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).