Skip to main content

Linux Kernel CVE-2026-52950

| EUVDEUVD-2026-38818 HIGH
Expired Pointer Dereference (CWE-825)
2026-06-24 Linux GHSA-mp35-p2hc-v59q
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local access to the Xe device with low privileges (AV:L/PR:L); AC:H because reliable UAF exploitation needs race timing and heap grooming; full kernel-level C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:31 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/dma-buf: fix UAF with retry loop

Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe.

Reported by Sashiko.

v2: Fix up the error unwind (CI)

(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to Xe-capable host
Delivery
Open Xe DRM device node
Exploit
Trigger dma-buf import error path
Execution
Retry loop reuses freed bo
Persist
Groom heap to control freed slot
Impact
Escalate privileges or leak kernel memory

Vulnerability AssessmentAI

Exploitation Requires local access to a system running an affected Linux 6.18 kernel with the Intel Xe (drm/xe) driver active and the GPU device nodes (/dev/dri/*) reachable by the attacker - i.e., the target must have Intel Xe-supported graphics hardware and the Xe driver loaded. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a genuine but bounded local risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user (or code escaping a sandbox onto a machine with Intel Xe graphics) issues a crafted sequence of dma-buf import operations against the Xe DRM device, forcing the error path so the retry loop dereferences the already-freed buffer object. By grooming kernel heap allocations to reoccupy the freed slot, the attacker turns the use-after-free into controlled memory corruption to escalate privileges or disclose kernel memory. …
Remediation Vendor-released patch: update to the fixed stable kernel (referenced as 6.18.33) or later, which contains the cherry-picked fix (upstream commit 479669418253e0f27f8cf5db01a731352ea592e7) merging allocation and init to make the retry path UAF-safe. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify systems running Linux kernel 6.18.0-6.18.32 with Intel Xe graphics drivers enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy