Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local access to the Xe device with low privileges (AV:L/PR:L); AC:H because reliable UAF exploitation needs race timing and heap grooming; full kernel-level C/I/A impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/dma-buf: fix UAF with retry loop
Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe.
Reported by Sashiko.
v2: Fix up the error unwind (CI)
(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)
AnalysisAI
Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to a system running an affected Linux 6.18 kernel with the Intel Xe (drm/xe) driver active and the GPU device nodes (/dev/dri/*) reachable by the attacker - i.e., the target must have Intel Xe-supported graphics hardware and the Xe driver loaded. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a genuine but bounded local risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user (or code escaping a sandbox onto a machine with Intel Xe graphics) issues a crafted sequence of dma-buf import operations against the Xe DRM device, forcing the error path so the retry loop dereferences the already-freed buffer object. By grooming kernel heap allocations to reoccupy the freed slot, the attacker turns the use-after-free into controlled memory corruption to escalate privileges or disclose kernel memory. … |
| Remediation | Vendor-released patch: update to the fixed stable kernel (referenced as 6.18.33) or later, which contains the cherry-picked fix (upstream commit 479669418253e0f27f8cf5db01a731352ea592e7) merging allocation and init to make the retry path UAF-safe. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems running Linux kernel 6.18.0-6.18.32 with Intel Xe graphics drivers enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38818
GHSA-mp35-p2hc-v59q