Skip to main content

Linux Kernel CVE-2026-46224

| EUVDEUVD-2026-32851 MEDIUM
Memory Leak (CWE-401)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jcp9-g46r-j6hh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local driver bug requires low-privilege GPU device node access; memory leak produces only availability impact with zero confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:16 vuln.today
CVSS changed
Jun 10, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure

When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.

xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.

Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.

v2: Add comments to explain the free logic.

(cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)

AnalysisAI

Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.

Technical ContextAI

The vulnerable code resides in the drm/xe subsystem - Intel's GPU driver for Arc discrete and newer integrated Xe-architecture graphics, introduced in recent Linux kernel versions. The affected path is the DMA-BUF import mechanism: xe_gem_prime_import() calls xe_dma_buf_init_obj(), which calls xe_bo_init_locked(). The DMA-BUF framework enables cross-process and cross-device GPU buffer sharing via file descriptors. CWE-401 (Missing Release of Memory after Effective Lifetime) applies precisely: xe_bo_init_locked() frees the bo on its own internal error paths, but xe_dma_buf_init_obj() has additional error paths - specifically when drm_gpuvm_resv_object_alloc() fails - where it must independently free the pre-allocated storage bo. Because xe_gem_prime_import() cannot distinguish which error path fired, it cannot safely decide whether to free the bo, resulting in a guaranteed leak on that failure branch. The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* confirms broad kernel version coverage, with the 7.1:rc1 release candidate also explicitly listed as affected.

RemediationAI

Upgrade to a patched Linux kernel version: Linux 6.18.32, Linux 7.0.9, or Linux 7.1-rc2 per EUVD confirmed fix data. The upstream fix originates from cherry-picked commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9 and is applied across stable trees at https://git.kernel.org/stable/c/8fa8c2a22585fcb31dc605b91a67bbcca223fdd7, https://git.kernel.org/stable/c/93a528f67ce5095bcab46a69839eca97f43dd352, and https://git.kernel.org/stable/c/f9ad21b90162baf1d78f8036ff3813c3ec1ac88e. For systems that cannot be immediately patched, blacklisting the xe kernel module via 'blacklist xe' in /etc/modprobe.d/ eliminates the vulnerable code path entirely, though this disables all Intel Xe GPU functionality including display output on systems relying on Xe for graphics. Given the AV:L attack vector, low EPSS score, and lack of active exploitation, scheduling the kernel update at the next standard maintenance window is appropriate for most deployments without urgent escalation.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy