Skip to main content

Linux Kernel CVE-2026-53290

| EUVDEUVD-2026-39895 HIGH
Use After Free (CWE-416)
2026-06-26 Linux GHSA-7j5g-6r5q-hq8r
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local render-node access by a low-privileged user (PR:L, AV:L) with no interaction; kernel use-after-free yields high confidentiality, integrity, and availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:53 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 26, 2026 - 19:40 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/eustall: Fix drm_dev_put called before stream disable in close

In xe_eu_stall_stream_close(), drm_dev_put() is called before the stream is disabled and its resources are freed. If this drops the last reference, the device structures could be freed while the subsequent cleanup code still accesses them, leading to a use-after-free.

Fix this by moving drm_dev_put() after all device accesses are complete. This matches the ordering in xe_oa_release().

(cherry picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c)

AnalysisAI

Use-after-free in the Linux kernel's Intel Xe GPU driver (drm/xe EU stall sampling) lets a local low-privileged user with access to the render/DRM device trigger memory corruption during stream close. In xe_eu_stall_stream_close() the driver calls drm_dev_put() before disabling the stream and freeing its resources, so if that call drops the last reference the device structures may be freed while subsequent cleanup still dereferences them. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-priv GPU device access
Delivery
Open Xe DRM EU stall stream
Exploit
Close stream triggering early drm_dev_put
Execution
Use-after-free on freed device structs
Impact
Corrupt kernel memory / escalate or crash

Vulnerability AssessmentAI

Exploitation Requires local access to a machine running the Linux drm/xe driver (Intel DG2/Arc discrete or Meteor Lake+ integrated GPUs) with the EU stall sampling interface reachable, and the attacker must be able to open the Xe DRM device and create/close an EU stall stream (PR:L - a low-privileged but authenticated local user, typically membership in the video/render group). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a genuine but bounded local-privilege risk rather than an urgent internet-facing threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user who can open the Intel Xe GPU device and create an EU stall sampling stream closes the stream in a way that causes drm_dev_put() to drop the final device reference, freeing structures that the close path then dereferences. By spraying the freed kernel memory with attacker-controlled data, the user could turn the use-after-free into kernel memory corruption and potentially escalate privileges or crash the host (DoS). …
Remediation Apply the upstream kernel fix that moves drm_dev_put() after all device accesses complete (cherry-picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c); the patched commits are available at https://git.kernel.org/stable/c/bebce43f34b5feb8a760aa832eba81e0f8a38871, https://git.kernel.org/stable/c/84f2bfbe6e38f8b9815ca00826e53b7f51420402, and https://git.kernel.org/stable/c/dc2d9842c67d883d3200ae33b9c3859dd9492408 - update to the patched stable kernel shipped by your distribution rather than hand-picking exact upstream version numbers, since the EUVD-reported versions are inconsistent. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all systems running Intel Xe GPU drivers and determine affected Linux kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy