Skip to main content

Linux Kernel CVE-2026-52976

| EUVDEUVD-2026-38844 HIGH
Expired Pointer Dereference (CWE-825)
2026-06-24 Linux GHSA-c52j-4pg6-8f2f
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local authenticated user (AV:L/PR:L); AC:H because exploitation needs the rarely-taken error path induced via resource exhaustion/race; UAF yields full memory-corruption impact (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:40 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()

Two error handling issues exist in xe_exec_queue_create_ioctl():

  1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps

to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in preempt fence mode, xe_vm_add_compute_exec_queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed.

  1. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has

succeeded, the error path does not call xe_hw_engine_group_del_exec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free.

Fix both by:

  • Changing the xe_hw_engine_group_add_exec_queue() failure path to jump

to kill_exec_queue so that xe_exec_queue_kill() properly removes the queue from the VM's compute list.

  • Adding a del_hw_engine_group label before kill_exec_queue for the

xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup.

(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)

AnalysisAI

Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local account with DRM access
Delivery
Open Intel Xe device node
Exploit
Call exec-queue-create ioctl on preempt-fence VM
Install
Induce alloc/registration failure to hit cleanup path
C2
Free queue still linked in list (UAF)
Execute
Groom heap and reclaim freed object
Impact
Escalate to kernel privileges

Vulnerability AssessmentAI

Exploitation Requires local access to the host and the ability to open the Intel Xe DRM device node and issue DRM_IOCTL_XE_EXEC_QUEUE_CREATE - so the system must have a supported recent Intel GPU with the xe driver loaded (kernel 6.12+). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a real but locally-scoped issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in local user (or a process escaped into an unprivileged container with GPU access) on a host with the Intel Xe driver repeatedly calls the exec-queue-create ioctl against a preempt-fence VM while inducing resource exhaustion so the post-registration cleanup branch is taken, freeing an exec queue that is still linked into the VM compute list or hw engine group. By grooming the kernel heap to reclaim the freed object, the attacker turns the resulting dangling-pointer/use-after-free into kernel memory corruption and attempts privilege escalation to root. …
Remediation Apply the vendor-released patched kernels: upgrade to Linux 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later in your series), which carry the corrected error-cleanup logic; these are confirmed via the stable git commits at git.kernel.org (f93b00161213…, 753b149d5a43…, 1be55646d8a2…, f3cc22d4df3e…). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running Intel Xe driver (Linux kernel 6.12+) with multi-user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52976 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy