What is the CVSS score of CVE-2026-46264?

CVE-2026-46264 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux Kernel are affected by CVE-2026-46264?

Linux kernel 6.19.0-6.19.3 systems with Intel Xe DRM drivers contain a local privilege escalation vulnerability (CVSS 8.8) that allows attackers with system access to elevate privileges through a…. A patch is available.

How to fix or mitigate CVE-2026-46264?

24 hours: Inventory systems running Linux kernel 6.19.0-6.19.3 and prioritize those with remote management exposure. 7 days: Update vulnerable systems to kernel 6.19.4 stable or later versions (6.20.x or newer releases). 30 days: Complete deployment and validation of patches across production and non-production environments.

Linux Kernel CVE-2026-46264

EUVD-2026-34126 HIGH

Use After Free (CWE-416)

2026-06-03 Linux

GHSA-c3hw-32vq-7q95

Information Disclosure Linux Use After Free Memory Corruption

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 05, 2026 - 07:28 vuln.today

CVSS changed

Jun 05, 2026 - 07:22 NVD

8.8 (HIGH)

Patch available

Jun 03, 2026 - 19:01 EUVD

CVE Published

Jun 03, 2026 - 15:50 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 03, 2026 - 15:50 nvd

HIGH 8.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/pf: Fix sysfs initialization

In case of devm_add_action_or_reset() failure the provided cleanup action will be run immediately on the not yet initialized kobject. This may lead to errors like:

[ ] kobject: '(null)' (ff110001393608e0): is not initialized, yet kobject_put() is being called. [ ] WARNING: lib/kobject.c:734 at kobject_put+0xd9/0x250, CPU#0: kworker/0:0/9 [ ] RIP: 0010:kobject_put+0xdf/0x250 [ ] Call Trace: [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0

[ ] refcount_t: underflow; use-after-free. [ ] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x68/0xb0, CPU#0: kworker/0:0/9 [ ] RIP: 0010:refcount_warn_saturate+0x68/0xb0 [ ] Call Trace: [ ] kobject_put+0x174/0x250 [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0

Fix that by calling kobject_init() and kobject_add() separately and register cleanup action after the kobject is initialized.

Also make this cleanup registration a part of the create helper to fix another mistake, as in the loop we were wrongly passing parent kobject while registering cleanup action, and this resulted in some undetected leaks.

(cherry picked from commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324)

AnalysisAI

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initialization ordering bug in SR-IOV Physical Function setup, where a failed devm_add_action_or_reset() call invokes kobject_put() on an uninitialized kobject, triggering refcount underflow and use-after-free conditions. The flaw affects Linux kernel 6.19 prior to the 6.19.4 stable patch and has been resolved upstream; no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.02%.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain local low-privilege shell on affected host

Delivery

Induce kernel memory pressure during Xe PF probe

Exploit

devm_add_action_or_reset() registration fails

Execution

kobject_put() runs on uninitialized kobject

Persist

Refcount underflow yields use-after-free

Impact

Potential kernel memory corruption and privilege escalation

Access

Obtain local low-privilege shell on affected host

Delivery

Induce kernel memory pressure during Xe PF probe

Exploit

devm_add_action_or_reset() registration fails

Execution

kobject_put() runs on uninitialized kobject

Persist

Refcount underflow yields use-after-free

Impact

Potential kernel memory corruption and privilege escalation

Vulnerability AssessmentAI

Exploitation	Requires the Intel Xe DRM driver (drm/xe) to be loaded with SR-IOV Physical Function support actively initializing - i.e., a system with a supported Intel discrete GPU (Xe-architecture) where xe_sriov_pf_init_late() executes during xe_device_probe. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are sharply conflicting and warrant skepticism of the headline CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A realistic exploitation path is highly constrained: a local attacker would need to induce a memory-allocation failure during Intel Xe PF probe so that devm_add_action_or_reset() fails, causing kobject_put() to run against an uninitialized kobject and triggering a refcount underflow that could be groomed into a use-after-free in kernel memory. In practice this is extremely difficult to trigger reliably from userspace because the vulnerable code runs during driver probe rather than in response to user input, and no POC is publicly available. …
Remediation	Vendor-released patch: Linux stable 6.19.4 - upgrade to 6.19.4 or later, which incorporates the upstream fix that splits kobject_init() and kobject_add() and moves cleanup-action registration into the create helper after the kobject is properly initialized. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory systems running Linux kernel 6.19.0-6.19.3 and prioritize those with remote management exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46244 CRITICAL Act Now

9.1 Jun 03

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to for

CVE-2026-46266 CRITICAL Act Now

9.1 Jun 03

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (proto

CVE-2026-46273 HIGH This Week

8.6 Jun 03

Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical net

CVE-2026-46251 HIGH This Week

8.4 Jun 03

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger mem

CVE-2026-46270 HIGH This Week

8.4 Jun 03

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or s

CVE-2026-46264 vulnerability details – vuln.today

Back

Linux Kernel CVE-2026-46264

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code