Skip to main content

Linux Kernel xe driver CVE-2026-43280

| EUVDEUVD-2026-27676 HIGH
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-cmxm-m5w5-f84q
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:45 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.1 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:29 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise

When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array.

The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries).

Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels.

v2(Matthew Auld)

  • Using array_index_nospec() to mitigate spectre attacks when the value

is used

v3(Matthew Auld)

  • Put the declarations at the start of the block

(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)

AnalysisAI

Local authenticated attackers can trigger an out-of-bounds kernel memory read in Linux kernel's xe graphics driver (6.18-6.19.x) via malicious pat_index values in the madvise IOCTL. This allows information disclosure from kernel memory and potential denial of service through kernel crashes. The vulnerability exists because madvise_args_are_sane() fails to validate pat_index bounds before passing it to xe_pat_index_get_coh_mode(), which performs unsafe array access into xe->pat.table. Vendor patches available for kernels 6.18.16+ and 6.19.6+ implement bounds checking with array_index_nospec() to prevent both direct exploitation and Spectre-based side-channel attacks. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.

Technical ContextAI

The xe driver is Intel's modern GPU kernel driver for Xe graphics hardware in recent Linux kernels. The vulnerability resides in the madvise IOCTL handler's Page Attribute Table (PAT) index validation logic. PAT indices control memory caching behavior for GPU memory mappings. The code path calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) to retrieve coherency mode settings from the xe->pat.table array without first verifying args->pat_index.val is within valid bounds [0, xe->pat.n_entries). While WARN_ON() assertions exist in debug builds, production kernels perform the array access unconditionally, allowing reads beyond allocated memory. The fix implements explicit bounds checking and uses array_index_nospec() - a Linux kernel primitive that inserts memory barriers to prevent speculative execution from leaking out-of-bounds data via CPU cache timing side channels (Spectre variant 1). This affects the xe driver specifically, introduced in kernel 6.18, not the broader i915 legacy Intel graphics driver.

RemediationAI

Upgrade to fixed kernel versions: 6.18.16 or later for 6.18.x series, 6.19.6 or later for 6.19.x series, or latest mainline kernel with commit fbbe32618e97eff81577a01eb7d9adcd64a216d7. Patches available from https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd (6.18), https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4 (6.19), and https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7 (mainline). For systems unable to patch immediately, compensating controls include: disable xe driver module loading via kernel command line parameter (modprobe.blacklist=xe) and rely on i915 legacy driver if compatible hardware exists - this eliminates attack surface but loses xe-specific features like improved performance on Xe GPUs. Restrict local user access to systems running vulnerable kernels, as attack requires authenticated local access (PR:L). Implement namespace isolation for containerized GPU workloads to limit lateral movement if exploitation occurs. These mitigations trade functionality or usability for security and should be temporary until patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy