Description
In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise

When user provides a bogus pat_index value through the madvise IOCTL, the
xe_pat_index_get_coh_mode() function performs an array access without
validating bounds. This allows a malicious user to trigger an out-of-bounds
kernel read from the xe->pat.table array.

The vulnerability exists because the validation in madvise_args_are_sane()
directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without
first checking if pat_index is within [0, xe->pat.n_entries).

Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug
builds, it still performs the unsafe array access in production kernels.

v2(Matthew Auld)
- Using array_index_nospec() to mitigate spectre attacks when the value
is used

v3(Matthew Auld)
- Put the declarations at the start of the block

(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
Published: 2026-05-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Linux kernel implementation of a Graphics Device Driver (Xe) failed to validate the pat_index supplied through a madvise IOCTL before using it to index an internal array. The unchecked index allowed a crafted value to trigger an out-of-bounds read from the xe->pat.table array, potentially exposing kernel memory contents. This flaw is an instance of improper input validation and unsafe array access, leading to information disclosure in kernel space.

Affected Systems

The vulnerability resides in the Linux kernel, affecting all kernel releases prior to the inclusion of the patch that introduces bounds checking on pat_index. No specific version range is listed in the CNA data, so any kernel build that lacks the commit 944a3329b05510d55c69c2ef455136e2fc02de29 is considered vulnerable.

Risk and Exploitability

Based on the description, the vulnerability requires a malicious user to interact with the drm/xe driver by sending a madvise IOCTL with a crafted pat_index value. The exact privilege level needed to perform this I/O operation is not detailed in the data and is therefore uncertain; it likely depends on device node permissions but cannot be confirmed from the provided information. The CVSS score of 7.1 signals high severity, and the EPSS score of < 1% indicates a low likelihood of exploitation. Because the vulnerability is not listed in CISA's KEV catalog it is not known to have active exploits, but the potential to read kernel memory presents a serious confidentiality risk if successfully leveraged.

Generated by OpenCVE AI on May 8, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that contains the bounds‑check patch for the Xe madvise interface.
  • If a kernel upgrade is not immediately possible, disable the Xe DRM feature or unload the driver to keep the vulnerable interface unavailable.
  • Limit user access to the Xe DRM device by configuring udev rules or using SELinux/AppArmor to restrict which users can open /dev/dri/* devices.

Generated by OpenCVE AI on May 8, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Thu, 07 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-788

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-788

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
Title drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:30.323Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43280

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:49.477

Modified: 2026-05-08T19:04:39.060

Link: CVE-2026-43280

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43280 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:15:05Z

Weaknesses