HIGH 8.8

CVE-2026-46264: Linux xe GPU SR-IOV Sysfs Initialization Use-After-Free

A flaw in the Linux kernel's display driver (xe) for Intel GPUs causes a crash during system initialization. When the driver sets up user-facing controls (sysfs), a cleanup routine may run on an uninitialized object, leading to memory corruption and system instability. This occurs specifically in SR-IOV (virtualization) configurations where one GPU is shared among multiple virtual machines. The issue affects driver initialization sequences and can trigger kernel warnings and potential use-after-free conditions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix sysfs initialization In case of devm_add_action_or_reset() failure the provided cleanup action will be run immediately on the not yet initialized kobject. This may lead to errors like: [ ] kobject: '(null)' (ff110001393608e0): is not initialized, yet kobject_put() is being called. [ ] WARNING: lib/kobject.c:734 at kobject_put+0xd9/0x250, CPU#0: kworker/0:0/9 [ ] RIP: 0010:kobject_put+0xdf/0x250 [ ] Call Trace: [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0 [ ] refcount_t: underflow; use-after-free. [ ] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x68/0xb0, CPU#0: kworker/0:0/9 [ ] RIP: 0010:refcount_warn_saturate+0x68/0xb0 [ ] Call Trace: [ ] kobject_put+0x174/0x250 [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0 Fix that by calling kobject_init() and kobject_add() separately and register cleanup action after the kobject is initialized. Also make this cleanup registration a part of the create helper to fix another mistake, as in the loop we were wrongly passing parent kobject while registering cleanup action, and this resulted in some undetected leaks. (cherry picked from commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46264 is a use-after-free vulnerability in the Intel xe GPU driver's SR-IOV physical function (PF) sysfs initialization path. The flaw stems from improper ordering of kobject lifecycle operations: devm_add_action_or_reset() registers a cleanup callback before the kobject is fully initialized via kobject_init() and kobject_add(). On deferred action failure, the cleanup immediately invokes kobject_put() on an uninitialized object, triggering refcount underflow and memory safety violations. Additionally, the cleanup registration loop incorrectly passes the parent kobject rather than the target object, causing resource leaks. The fix reorders initialization to complete kobject setup before registering cleanup handlers and consolidates cleanup registration within the create helper function.

Business impact

Affected deployments using Intel xe GPUs in SR-IOV configurations—primarily cloud providers, data centers, and enterprises employing GPU virtualization—may experience unexpected system crashes during driver probe or virtual machine initialization. This can disrupt service availability, trigger unexpected reboots, and complicate infrastructure stability. The severity is heightened in multi-tenant environments where GPU sharing is critical to operational density. While not a remote code execution vector, the memory corruption aspect creates potential for escalation if combined with other vulnerabilities.

Affected systems

The Linux kernel with the Intel xe GPU driver for SR-IOV configurations is affected. This primarily impacts systems using Intel Arc GPUs (or compatible variants) in virtualization deployments where the physical function manages access for multiple virtual machines. The vulnerability manifests during xe_device_probe() initialization, so any system loading the xe driver module with SR-IOV enabled is at risk. The issue is specific to the Physical Function (PF) code path and does not affect Virtual Function (VF) or non-SR-IOV setups.

Exploitability

Exploitability is limited to local kernel-level code execution contexts. The vulnerability requires the attacker to trigger driver initialization on a system where xe is loaded with SR-IOV enabled—this occurs at boot, module load, or hardware hotplug events. A local user cannot directly trigger the flaw from userspace, but a privileged actor (root or system administrator) attempting to manage GPU virtualization could induce the crash. The use-after-free condition creates a theoretical window for privilege escalation if chained with other kernel exploits, but no public in-the-wild exploitation is known. The issue is primarily a stability and correctness bug rather than an immediate security exploit vector.

Remediation

Apply the upstream Linux kernel patch (commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324 and its cherry-pick variants) which restructures the kobject initialization order and cleanup registration. The fix ensures kobject_init() and kobject_add() complete successfully before any cleanup action is registered, eliminating the window for premature deallocation. For production SR-IOV deployments, prioritize kernel updates that include this patch. Interim mitigation: disable SR-IOV on xe GPUs until patched kernels are deployed, though this reduces virtualization capability.

Patch guidance

Verify that your kernel version includes the fix from upstream commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324. Check your distribution's kernel changelog and advisory pages for the specific version that backports this patch. Most major distributions (Red Hat, Ubuntu, SUSE, etc.) should include the fix in their next stable kernel update following the upstream merge. For systems running custom or older kernels, manually apply the patch or upgrade to a patched stable release. Test driver initialization in non-production SR-IOV environments first to confirm stability.

Detection guidance

Monitor kernel logs (dmesg, journalctl) for the warning signatures: 'kobject: (null)' with 'is not initialized, yet kobject_put() is being called' or 'refcount_t: underflow' in the call stack of xe_sriov_pf_sysfs_init. Watch for unexpected driver probe failures or GPU enumeration timeouts during boot. In virtualized environments, track GPU initialization failures in hypervisor logs. Automated log aggregation and alerting for these patterns can identify affected deployments before they cause operational issues. Systems that successfully boot with xe SR-IOV enabled are likely unaffected by this flaw.

Why prioritize this

Despite the CVSS 8.8 score, this vulnerability should be prioritized based on environmental context. Organizations running Intel xe GPUs in SR-IOV configurations should patch immediately to prevent unexpected crashes and potential data loss. However, systems without SR-IOV enabled or non-xe GPUs can safely deprioritize. The kernel memory corruption aspect and use-after-free condition warrant moderate urgency even in non-SR-IOV contexts as a defense-in-depth measure. Patch within 30 days for SR-IOV deployments; standard timelines acceptable otherwise.

Risk score, explained

The CVSS 8.8 (HIGH) reflects the local attack vector, low privilege requirement, high confidentiality/integrity/data availability impact, and scope change. The score appropriately captures the memory corruption and potential privilege escalation risk. However, real-world risk is modulated by the narrow applicability (SR-IOV only) and low likelihood of exploitation outside of deliberate infrastructure misconfiguration or administrative action. Organizations without SR-IOV should view this as a medium-priority stability fix; those with SR-IOV should treat it as high-priority due to crash potential in production virtualization environments.

Frequently asked questions

Do non-SR-IOV Intel xe GPU deployments need to patch this vulnerability?

No, the flaw is specific to the Physical Function code path used only in SR-IOV configurations. Standard single-VM or non-virtualized xe GPU systems are unaffected. However, patching for defense-in-depth and consistency across your fleet is still recommended.

Will this vulnerability cause data loss or security breaches?

The primary risk is unexpected kernel crashes and system reboots, which can cause application interruption and data loss if applications don't handle sudden shutdown gracefully. The use-after-free condition creates a theoretical window for privilege escalation if combined with other exploits, but no such chain has been publicly disclosed. It is not a direct remote code execution or data exfiltration vector.

How do I know if my system is affected?

Check if your kernel includes the Intel xe GPU driver and whether SR-IOV is enabled for your GPU. Run 'lsmod | grep xe' to confirm the driver is loaded, and check your hypervisor or firmware settings for SR-IOV enablement. If you see GPU enumeration failures or repeated 'kobject' warnings in dmesg during boot, your system is likely affected.

Can this be exploited remotely?

No. The vulnerability requires local kernel-level code execution context and is triggered during driver initialization on the affected host. It cannot be exploited over the network or by unprivileged remote users.

This analysis is provided for informational purposes to assist security teams in vulnerability assessment and patch prioritization. The information is based on the CVE record, upstream kernel documentation, and standard security analysis practices. Readers should verify patch availability with their Linux distribution vendor and conduct testing in non-production environments before deploying updates. No liability is assumed for decisions made based on this analysis. Always consult official vendor advisories for the most current guidance on affected versions and patch status. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).