Description
In the Linux kernel, the following vulnerability has been resolved:

drm/xe/queue: Call fini on exec queue creation fail

Every call to queue init should have a corresponding fini call.
Skipping this would mean skipping removal of the queue from GuC list
(which is part of guc_id allocation). A damaged queue stored in
exec_queue_lookup list would lead to invalid memory reference,
sooner or later.

Call fini to free guc_id. This must be done before any internal
LRCs are freed.

Since the finalization with this extra call became very similar to
__xe_exec_queue_fini(), reuse that. To make this reuse possible,
alter xe_lrc_put() so it can survive NULL parameters, like other
similar functions.

v2: Reuse _xe_exec_queue_fini(). Make xe_lrc_put() aware of NULLs.

(cherry picked from commit 393e5fea6f7d7054abc2c3d97a4cfe8306cd6079)
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in the Linux kernel DRM Xe queue initialization path where a missing finalization call causes a dangling queue reference that is later dereferenced during lookup. This results in an invalid memory reference that can lead to kernel memory corruption, potentially enabling an attacker with local access to trigger privilege escalation or a denial‑of‑service by crashing the system. The weakness correlates with CWE‑772 – missing release of resource.

Affected Systems

The defect is present in the Linux kernel’s DRM Xe module. No specific kernel release numbers are listed, so any Linux kernel build that includes the xe/queue code without the required fini call is potentially affected. Systems running kernel versions prior to the patch commit are at risk.

Risk and Exploitability

The CVSS score of 7.8 signals high severity, but the EPSS score of less than 1% indicates that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. The attack is most likely local, targeting the graphics subsystem; a local attacker could trigger the fault and achieve privilege escalation or a crash, although no public exploits have been reported yet.

Generated by OpenCVE AI on April 2, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the patch fixing the missing fini call in the DRM Xe queue code. If a kernel upgrade is not immediately possible, verify that the graphics driver and DRM implementation are up to date and consider disabling Xe queue functionality until a fix is applied. Monitor system logs for any abnormal DRM or kernel messages that could indicate lingering queue handling issues.

Generated by OpenCVE AI on April 2, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list (which is part of guc_id allocation). A damaged queue stored in exec_queue_lookup list would lead to invalid memory reference, sooner or later. Call fini to free guc_id. This must be done before any internal LRCs are freed. Since the finalization with this extra call became very similar to __xe_exec_queue_fini(), reuse that. To make this reuse possible, alter xe_lrc_put() so it can survive NULL parameters, like other similar functions. v2: Reuse _xe_exec_queue_fini(). Make xe_lrc_put() aware of NULLs. (cherry picked from commit 393e5fea6f7d7054abc2c3d97a4cfe8306cd6079)
Title drm/xe/queue: Call fini on exec queue creation fail
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:05:34.327Z

Reserved: 2026-01-13T15:37:45.999Z

Link: CVE-2026-23350

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:33.320

Modified: 2026-04-24T18:05:34.897

Link: CVE-2026-23350

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23350 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:04Z

Weaknesses