CVE-2026-23421 - Vulnerability Details

- drm/xe/configfs: Free ctx_restore_mid_bb in release

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/configfs: Free ctx_restore_mid_bb in release

ctx_restore_mid_bb memory is allocated in wa_bb_store(), but
xe_config_device_release() only frees ctx_restore_post_bb.

Free ctx_restore_mid_bb[0].cs as well to avoid leaking the allocation
when the configfs device is removed.

(cherry picked from commit a235e7d0098337c3f2d1e8f3610c719a589e115f)

Published: 2026-04-03

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains a missing deallocation routine in the DRM Xe (xe) configuration filesystem. Memory allocated for ctx_restore_mid_bb inside wa_bb_store() is never released during device removal, allowing data to remain in kernel memory after the configfs device is released. This oversight can leak sensitive kernel data and is classified as a missing release of allocated memory.

Affected Systems

All Linux kernel releases that ship the drm/xe/configfs subsystem without the fix are affected. The vulnerability applies across distributions that include the upstream kernel module; specific version numbers are not listed in the advisory.

Risk and Exploitability

The moderate CVSS score of 5.5 reflects a mid-level severity. The EPSS score of < 1% indicates a very low probability that this vulnerability will be actively exploited in the wild, aligning with the lack of publicly disclosed exploits and its absence from the CISA KEV catalogue. An attacker would still require local privileged access or the ability to trigger the removal of a DRM Xe configfs device to trigger the leak, implying a local and privileged attack surface. Overall, the risk remains moderate, with no immediate remote exploitation vectors identified.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b30d5de3d40c3fa642079bac0d91f17091c5f877`	affected	< 7f971dfd48983074adc7bbcea3ee95ce7aad47cb
`b30d5de3d40c3fa642079bac0d91f17091c5f877`	affected	< 3557359ea3df32430ea7c30f7a708ca9a91d7e0e
`b30d5de3d40c3fa642079bac0d91f17091c5f877`	affected	< e377182f0266f46f02d01838e6bde67b9dac0d66

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.18:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[b30d5de3d40c3fa642079bac0d91f17091c5f877,7f971dfd48983074adc7bbcea3ee95ce7aad47cb)`	affected	code_commit	—
`[b30d5de3d40c3fa642079bac0d91f17091c5f877,3557359ea3df32430ea7c30f7a708ca9a91d7e0e)`	affected	code_commit	—
`[b30d5de3d40c3fa642079bac0d91f17091c5f877,e377182f0266f46f02d01838e6bde67b9dac0d66)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a revision that includes the fix so that xe_config_device_release() correctly frees ctx_restore_mid_bb.
Restrict write and removal permissions on /sys/kernel/configfs or disable the DRM Xe device if it is not required for your workloads.
Continuously monitor kernel logs and system behavior for signs of kernel memory leaks or abnormal device removal events.

Generated by OpenCVE AI on April 28, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3557359ea3df32430ea7c30f7a708ca9a91d7e0e
https://git.kernel.org/stable/c/7f971dfd48983074adc7bbcea3ee95ce7aad47cb
https://git.kernel.org/stable/c/e377182f0266f46f02d01838e6bde67b9dac0d66
https://lore.kernel.org/linux-cve-announce/2026040304-CVE-2026-23421-dace@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23421
https://www.cve.org/CVERecord?id=CVE-2026-23421

History

Fri, 24 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:6.18:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026040304-CVE-2026-23421-dace@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23421 https://www.cve.org/CVERecord?id=CVE-2026-23421
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772

Fri, 03 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/xe/configfs: Free ctx_restore_mid_bb in release ctx_restore_mid_bb memory is allocated in wa_bb_store(), but xe_config_device_release() only frees ctx_restore_post_bb. Free ctx_restore_mid_bb[0].cs as well to avoid leaking the allocation when the configfs device is removed. (cherry picked from commit a235e7d0098337c3f2d1e8f3610c719a589e115f)
Title		drm/xe/configfs: Free ctx_restore_mid_bb in release
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3557359ea3df32430ea7c30f7a708ca9a91d7e0e https://git.kernel.org/stable/c/7f971dfd48983074adc7bbcea3ee95ce7aad47cb https://git.kernel.org/stable/c/e377182f0266f46f02d01838e6bde67b9dac0d66

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T13:24:30.548Z

Updated: 2026-04-13T06:07:07.506Z

Reserved: 2026-01-13T15:37:46.015Z

Link: CVE-2026-23421

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-03T14:16:28.190

Modified: 2026-04-24T15:21:16.940

Link: CVE-2026-23421

Redhat

Severity : Low

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23421 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T22:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object