Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local authenticated user (AV:L/PR:L); AC:H because exploitation needs the rarely-taken error path induced via resource exhaustion/race; UAF yields full memory-corruption impact (C/I/A:H).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
Two error handling issues exist in xe_exec_queue_create_ioctl():
- When xe_hw_engine_group_add_exec_queue() fails, the error path jumps
to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in preempt fence mode, xe_vm_add_compute_exec_queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed.
- When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has
succeeded, the error path does not call xe_hw_engine_group_del_exec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free.
Fix both by:
- Changing the xe_hw_engine_group_add_exec_queue() failure path to jump
to kill_exec_queue so that xe_exec_queue_kill() properly removes the queue from the VM's compute list.
- Adding a del_hw_engine_group label before kill_exec_queue for the
xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup.
(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
AnalysisAI
Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to the host and the ability to open the Intel Xe DRM device node and issue DRM_IOCTL_XE_EXEC_QUEUE_CREATE - so the system must have a supported recent Intel GPU with the xe driver loaded (kernel 6.12+). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a real but locally-scoped issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A logged-in local user (or a process escaped into an unprivileged container with GPU access) on a host with the Intel Xe driver repeatedly calls the exec-queue-create ioctl against a preempt-fence VM while inducing resource exhaustion so the post-registration cleanup branch is taken, freeing an exec queue that is still linked into the VM compute list or hw engine group. By grooming the kernel heap to reclaim the freed object, the attacker turns the resulting dangling-pointer/use-after-free into kernel memory corruption and attempts privilege escalation to root. … |
| Remediation | Apply the vendor-released patched kernels: upgrade to Linux 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later in your series), which carry the corrected error-cleanup logic; these are confirmed via the stable git commits at git.kernel.org (f93b00161213…, 753b149d5a43…, 1be55646d8a2…, f3cc22d4df3e…). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify systems running Intel Xe driver (Linux kernel 6.12+) with multi-user access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38844
GHSA-c52j-4pg6-8f2f