CVE-2026-31390 - Vulnerability Details

- drm/xe: Fix memory leak in xe_vm_madvise_ioctl

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix memory leak in xe_vm_madvise_ioctl

When check_bo_args_are_sane() validation fails, jump to the new
free_vmas cleanup label to properly free the allocated resources.
This ensures proper cleanup in this error path.

(cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)

Published: 2026-04-03

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability was a memory leak in the Linux kernel's DRM (drm/xe) subsystem, specifically in the xe_vm_madvise_ioctl handler. When the check_bo_args_are_sane() validation fails, resources allocated for virtual memory areas (VMAs) were not properly freed, leading to a leak. This is a classic example of resource exhaustion (CWE-459). While it does not provide direct code execution, the accumulation of unreleased memory could degrade system performance or culminate in a denial of service.

Affected Systems

The issue affects Linux kernel builds where the drm/xe module is compiled. The impacted binaries are part of the standard Linux kernel (vendor Linux, product Linux). Specific kernel versions are not enumerated in the CVE entry, so any kernel containing the vulnerable code before the fix is susceptible. Administrative users or processes with access to the DRM subsystem could trigger the flaw.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The flaw is not listed in CISA's Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that exploitation requires local access, such that a user or process can invoke xe_vm_madvise_ioctl and cause a validation failure. An attacker with local or elevated privileges could use this path to degrade system resources, potentially leading to a service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`293032eec4baa04374d62dd44de61e355296ad32`	affected	< c3aa7b837920c844d5ae0dd3dbaeb465a461de40
`293032eec4baa04374d62dd44de61e355296ad32`	affected	< 1c87b48a0ff040723f84a67b32892af7e6a3634f
`293032eec4baa04374d62dd44de61e355296ad32`	affected	< 0cfe9c4838f1147713f6b5c02094cd4dc0c598fa

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[293032eec4baa04374d62dd44de61e355296ad32,c3aa7b837920c844d5ae0dd3dbaeb465a461de40)`	affected	code_commit	—
`[293032eec4baa04374d62dd44de61e355296ad32,1c87b48a0ff040723f84a67b32892af7e6a3634f)`	affected	code_commit	—
`[293032eec4baa04374d62dd44de61e355296ad32,0cfe9c4838f1147713f6b5c02094cd4dc0c598fa)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the fix (commit 29bd06f or later).
Verify the kernel contains the patch by checking the commit history or running "git log" for the relevant module.
If an immediate kernel upgrade is not possible, monitor system memory usage and restart affected services or reboot to reclaim leaked memory.
If the drm/xe module is not required, disable it to eliminate the risk.

Generated by OpenCVE AI on April 7, 2026 at 09:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0cfe9c4838f1147713f6b5c02094cd4dc0c598fa
https://git.kernel.org/stable/c/1c87b48a0ff040723f84a67b32892af7e6a3634f
https://git.kernel.org/stable/c/c3aa7b837920c844d5ae0dd3dbaeb465a461de40
https://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31390-f363@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31390
https://www.cve.org/CVERecord?id=CVE-2026-31390

History

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-399

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-459
References		https://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31390-f363@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31390 https://www.cve.org/CVERecord?id=CVE-2026-31390
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix memory leak in xe_vm_madvise_ioctl When check_bo_args_are_sane() validation fails, jump to the new free_vmas cleanup label to properly free the allocated resources. This ensures proper cleanup in this error path. (cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)
Title		drm/xe: Fix memory leak in xe_vm_madvise_ioctl
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0cfe9c4838f1147713f6b5c02094cd4dc0c598fa https://git.kernel.org/stable/c/1c87b48a0ff040723f84a67b32892af7e6a3634f https://git.kernel.org/stable/c/c3aa7b837920c844d5ae0dd3dbaeb465a461de40

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:56.035Z

Updated: 2026-04-13T06:08:15.228Z

Reserved: 2026-03-09T15:48:24.084Z

Link: CVE-2026-31390

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:36.987

Modified: 2026-04-07T13:20:55.200

Link: CVE-2026-31390

Redhat

Severity : Low

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31390 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:53:34Z

Weaknesses

CWE-459

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object