Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local render-node access by a low-privileged user (PR:L, AV:L) with no interaction; kernel use-after-free yields high confidentiality, integrity, and availability impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/eustall: Fix drm_dev_put called before stream disable in close
In xe_eu_stall_stream_close(), drm_dev_put() is called before the stream is disabled and its resources are freed. If this drops the last reference, the device structures could be freed while the subsequent cleanup code still accesses them, leading to a use-after-free.
Fix this by moving drm_dev_put() after all device accesses are complete. This matches the ordering in xe_oa_release().
(cherry picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c)
AnalysisAI
Use-after-free in the Linux kernel's Intel Xe GPU driver (drm/xe EU stall sampling) lets a local low-privileged user with access to the render/DRM device trigger memory corruption during stream close. In xe_eu_stall_stream_close() the driver calls drm_dev_put() before disabling the stream and freeing its resources, so if that call drops the last reference the device structures may be freed while subsequent cleanup still dereferences them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to a machine running the Linux drm/xe driver (Intel DG2/Arc discrete or Meteor Lake+ integrated GPUs) with the EU stall sampling interface reachable, and the attacker must be able to open the Xe DRM device and create/close an EU stall stream (PR:L - a low-privileged but authenticated local user, typically membership in the video/render group). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine but bounded local-privilege risk rather than an urgent internet-facing threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user who can open the Intel Xe GPU device and create an EU stall sampling stream closes the stream in a way that causes drm_dev_put() to drop the final device reference, freeing structures that the close path then dereferences. By spraying the freed kernel memory with attacker-controlled data, the user could turn the use-after-free into kernel memory corruption and potentially escalate privileges or crash the host (DoS). … |
| Remediation | Apply the upstream kernel fix that moves drm_dev_put() after all device accesses complete (cherry-picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c); the patched commits are available at https://git.kernel.org/stable/c/bebce43f34b5feb8a760aa832eba81e0f8a38871, https://git.kernel.org/stable/c/84f2bfbe6e38f8b9815ca00826e53b7f51420402, and https://git.kernel.org/stable/c/dc2d9842c67d883d3200ae33b9c3859dd9492408 - update to the patched stable kernel shipped by your distribution rather than hand-picking exact upstream version numbers, since the EUVD-reported versions are inconsistent. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all systems running Intel Xe GPU drivers and determine affected Linux kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39895
GHSA-7j5g-6r5q-hq8r