Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local, low-privilege GPU workload access (AV:L/PR:L); AC:H because it needs Intel Xe hardware, LR/preempt-fence userptr mode, and an idle-during-suspend timing window; stale mappings yield high CIA.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend"
This reverts commit 8533051ce92015e9cc6f75e0d52119b9d91610b6.
The idle-skip optimization bypasses GuC suspend, so the GPU may not perform the context switch that flushes TLB entries for invalidated userptr VMAs. In LR/preempt-fence VM mode, this can lead to missed TLB invalidation and page faults during userptr invalidation tests.
Restore unconditional schedule toggling on suspend so the context-switch TLB flush is always performed.
This optimization will be reintroduced with a fix that does not skip suspend in LR/preempt-fence VM mode.
(cherry picked from commit 6a1e7934d9a6cf46aecae00a99c2603d1295e170)
AnalysisAI
Local privilege/memory-integrity exposure in the Linux kernel's drm/xe Intel GPU driver stems from a missed TLB invalidation: a previously merged optimization that skipped GuC scheduler suspend toggling when an exec queue was idle has been reverted because it bypassed the context switch that flushes TLB entries for invalidated userptr VMAs. On Intel Xe GPUs running in long-running (LR)/preempt-fence VM mode, this leaves stale TLB mappings to invalidated user pointers, producing page faults and stale-memory access during userptr invalidation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access (CVSS PR:L, AV:L) on a system with an Intel Xe GPU using the drm/xe driver, and the workload must use userptr-backed VMAs in long-running (LR)/preempt-fence VM mode - this is the exact configuration named in the description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are broadly consistent and point to a real but constrained local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with permission to submit GPU workloads on an Intel Xe system configures a long-running/preempt-fence VM using userptr-backed buffers, then invalidates those user pages while the exec queue is idle and a suspend occurs, so the stale TLB entries are never flushed. The GPU continues to reference now-invalidated physical pages, enabling stale-memory reads/writes or triggering page faults that could be leveraged toward information disclosure or memory corruption. … |
| Remediation | Apply the upstream stable fix, which is the revert restoring unconditional GuC schedule toggling on suspend: upgrade to a kernel containing commit b69b715f48ac7e802c89ed5924795c5b055da91e or fa7c84726dc217ce0c183926ef9411636c7a2213 (stable releases reported around Linux 7.0.13 / 7.1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems with Intel Xe GPUs enabled and document their kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39292
GHSA-xx7h-359j-qhv7