Description
In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Open-code GGTT MMIO access protection

GGTT MMIO access is currently protected by hotplug (drm_dev_enter),
which works correctly when the driver loads successfully and is later
unbound or unloaded. However, if driver load fails, this protection is
insufficient because drm_dev_unplug() is never called.

Additionally, devm release functions cannot guarantee that all BOs with
GGTT mappings are destroyed before the GGTT MMIO region is removed, as
some BOs may be freed asynchronously by worker threads.

To address this, introduce an open-coded flag, protected by the GGTT
lock, that guards GGTT MMIO access. The flag is cleared during the
dev_fini_ggtt devm release function to ensure MMIO access is disabled
once teardown begins.

(cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)
Published: 2026-04-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory exposure via open GGTT MMIO access
Action: Patch Update
AI Analysis

Impact

The Linux kernel’s DRM/xe subsystem protects the Global Graphics Translation Table (GGTT) MMIO region only when a driver successfully loads. If the driver load fails, the protection is not applied, allowing an attacker to access the GGTT MMIO region and potentially read or write arbitrary kernel memory. This weakness is a race condition vulnerability (CWE-1220) that can lead to kernel memory corruption and privilege escalation.

Affected Systems

All Linux kernels that include the DRM/xe subsystem and have not integrated the commit introducing the open‑coded protection flag are affected. The affected products include any distribution that ships a Linux kernel version predating the fix (the patch is present in kernel releases that include commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431). Vendors should verify whether their kernel version contains this protection.

Risk and Exploitability

The CVSS base score of 7.8 reflects high severity. The EPSS score is less than 1%, indicating a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector requires local privileged access that can trigger a driver load failure or manipulate buffer objects to keep the GGTT MMIO region pinned when the driver is torn down. Exploitation would therefore entail local privilege escalation or an existing high-privilege foothold, compromising system integrity and availability.

Generated by OpenCVE AI on April 28, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the drm/xe GGTT MMIO protection patch (commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431).
  • If a kernel update is not immediately possible, verify that DRM driver load failures are properly handled and buffer objects are released before unbinding to mitigate the risk of lingering MMIO access.
  • If you cannot apply a patch, temporarily disable the affected driver or prevent it from autoloading via kernel boot parameters or initramfs configuration until the patch is available.

Generated by OpenCVE AI on April 28, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-732

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1220
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-732

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded. However, if driver load fails, this protection is insufficient because drm_dev_unplug() is never called. Additionally, devm release functions cannot guarantee that all BOs with GGTT mappings are destroyed before the GGTT MMIO region is removed, as some BOs may be freed asynchronously by worker threads. To address this, introduce an open-coded flag, protected by the GGTT lock, that guards GGTT MMIO access. The flag is cleared during the dev_fini_ggtt devm release function to ensure MMIO access is disabled once teardown begins. (cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)
Title drm/xe: Open-code GGTT MMIO access protection
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:40.866Z

Reserved: 2026-01-13T15:37:46.021Z

Link: CVE-2026-23466

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:34.017

Modified: 2026-04-27T14:16:34.890

Link: CVE-2026-23466

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23466 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses