Skip to main content

Linux CVE-2026-23466

| EUVDEUVD-2026-18732 HIGH
2026-04-03 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
1e9e2640d870d4837bcfdc220cb2c99ae5ee119f,01f2557aa684e514005541e71a3d01f4cd45c170,76326dc06d8793c2c81c31cc0115dbc348de2f88
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18732
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Open-code GGTT MMIO access protection

GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded. However, if driver load fails, this protection is insufficient because drm_dev_unplug() is never called.

Additionally, devm release functions cannot guarantee that all BOs with GGTT mappings are destroyed before the GGTT MMIO region is removed, as some BOs may be freed asynchronously by worker threads.

To address this, introduce an open-coded flag, protected by the GGTT lock, that guards GGTT MMIO access. The flag is cleared during the dev_fini_ggtt devm release function to ensure MMIO access is disabled once teardown begins.

(cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)

AnalysisAI

Linux kernel DRM/xe driver fails to protect GPU memory (GGTT) MMIO access during failed driver load or asynchronous buffer object teardown, potentially enabling information disclosure or memory corruption. The vulnerability affects systems with Intel Xe graphics where the driver's hotplug-based protection mechanism does not activate if initialization fails, leaving GGTT memory accessible after the driver should have been disabled. CVSS and KEV status not available; patches have been released in upstream Linux stable branches.

Technical ContextAI

The vulnerability exists in the Direct Rendering Manager (DRM) Xe driver's GPU GTT (Graphics Translation Table) MMIO (Memory-Mapped I/O) access control. The DRM subsystem uses drm_dev_enter/drm_dev_unplug for device lifecycle management and protection of hardware access. The Xe driver's GGTT (Global Graphics Translation Table) handles GPU memory mapping operations. The root cause is insufficient synchronization: drm_dev_unplug() is only called during successful driver unbind/unload, not on failed load; additionally, devm (device-managed) resource cleanup cannot guarantee GGTT BOs (buffer objects) are destroyed before MMIO regions are removed when cleanup occurs asynchronously via worker threads. The fix implements an open-coded flag, protected by GGTT lock, to explicitly gate MMIO access and clear it during dev_fini_ggtt devm release. This addresses both the failed-load case and asynchronous teardown race condition.

RemediationAI

Update to a Linux kernel version that includes the Xe GGTT MMIO protection fix. Upstream stable patches are available at https://git.kernel.org/stable/c/e2b424aadecb640f9e037b2891191cf8fd4c64cf and related commits 1e9e2640d870d4837bcfdc220cb2c99ae5ee119f, 76326dc06d8793c2c81c31cc0115dbc348de2f88, and 01f2557aa684e514005541e71a3d01f4cd45c170. Consult your Linux distribution (Fedora, Ubuntu, Debian, RHEL, etc.) for backported kernel security updates that include these fixes and apply the recommended kernel update. If immediate patching is not feasible, monitor for driver initialization failures and avoid unloading/reloading the xe driver module during runtime; graceful system shutdown is preferred to minimize exposure to the asynchronous teardown race condition. No workarounds are documented; patching is the primary remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy