CVE-2026-43395 - Vulnerability Details

- drm/xe/sync: Cleanup partially initialized sync on parse failure

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/sync: Cleanup partially initialized sync on parse failure

xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence,
or user fence) before hitting a later failure path. Several of those paths
returned directly, leaving partially initialized state and leaking refs.

Route these error paths through a common free_sync label and call
xe_sync_entry_cleanup(sync) before returning the error.

(cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22)

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Linux kernel DRM Xe sync subsystem. The function xe_sync_entry_parse() may allocate kernel objects such as syncobj, fence, chain fence, or a user fence before a failure path is hit. Several of those paths return directly, leaving the allocated references live. This results in a leaking of kernel resources that are never released, which can lead to gradual depletion of memory or other critical kernel bookkeeping structures and ultimately cause a denial‑of‑service condition.

Affected Systems

All Linux kernel releases that do not yet contain commit f939bdd9207a5d1fc55cced5459858480686ce22. The affected component is the DRM Xe sync subsystem, which is part of the vanilla Linux kernel. Users running any active kernel prior to that commit are at risk until the distribution provides an updated kernel image.

Risk and Exploitability

EPSS data is not available and the vulnerability is not listed in CISA KEV. The flaw is a resource‑leak type; exploitation requires triggering the parse routine, typically via ordinary DRM operations and does not require elevated privileges. The likely attack vector is local or any software that can invoke drm/xe sync processing. The potential for a denial‑of‑service condition exists if an attacker can repeatedly induce parse failures to accumulate leaked references. While widespread exploitation is not currently documented, the risk is moderate due to the possibility of a gradual resource exhaustion. The CVSS score is 5.5, indicating moderate severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`dd08ebf6c3525a7ea2186e636df064ea47281987`	affected	< 91c228f96fcfacc2341a58815b1da8c69da94ebb
`dd08ebf6c3525a7ea2186e636df064ea47281987`	affected	< af65cd1853599394b94201c08bed7a46717db478
`dd08ebf6c3525a7ea2186e636df064ea47281987`	affected	< f0af63ffa06306f12592cd3919fad6957b425e1b
`dd08ebf6c3525a7ea2186e636df064ea47281987`	affected	< 1bfd7575092420ba5a0b944953c95b74a5646ff8

Linux

affected

Version	Status	Constraints
`6.8`	affected	—
`0`	unaffected	< 6.8
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[dd08ebf6c3525a7ea2186e636df064ea47281987,91c228f96fcfacc2341a58815b1da8c69da94ebb)`	affected	code_commit	—
`[dd08ebf6c3525a7ea2186e636df064ea47281987,af65cd1853599394b94201c08bed7a46717db478)`	affected	code_commit	—
`[dd08ebf6c3525a7ea2186e636df064ea47281987,f0af63ffa06306f12592cd3919fad6957b425e1b)`	affected	code_commit	—
`[dd08ebf6c3525a7ea2186e636df064ea47281987,1bfd7575092420ba5a0b944953c95b74a5646ff8)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.8`	affected	semver	—
`[0,6.8)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the running kernel to a version that contains commit f939bdd9207a5d1fc55cced5459858480686ce22 or later.
If the distribution does not provide an updated kernel, rebuild the kernel locally with the patch applied and install the patched image.
Disable or restrict any privileged applications that invoke DRM Xe sync operations until the kernel is updated, thereby preventing the token from triggering the vulnerable parsing routine.

Generated by OpenCVE AI on May 9, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1bfd7575092420ba5a0b944953c95b74a5646ff8
https://git.kernel.org/stable/c/91c228f96fcfacc2341a58815b1da8c69da94ebb
https://git.kernel.org/stable/c/af65cd1853599394b94201c08bed7a46717db478
https://git.kernel.org/stable/c/f0af63ffa06306f12592cd3919fad6957b425e1b
https://lore.kernel.org/linux-cve-announce/2026050838-CVE-2026-43395-e92c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43395
https://www.cve.org/CVERecord?id=CVE-2026-43395

History

Sat, 09 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-754

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-459
References		https://lore.kernel.org/linux-cve-announce/2026050838-CVE-2026-43395-e92c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43395 https://www.cve.org/CVERecord?id=CVE-2026-43395
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-754

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence, or user fence) before hitting a later failure path. Several of those paths returned directly, leaving partially initialized state and leaking refs. Route these error paths through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning the error. (cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22)
Title		drm/xe/sync: Cleanup partially initialized sync on parse failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1bfd7575092420ba5a0b944953c95b74a5646ff8 https://git.kernel.org/stable/c/91c228f96fcfacc2341a58815b1da8c69da94ebb https://git.kernel.org/stable/c/af65cd1853599394b94201c08bed7a46717db478 https://git.kernel.org/stable/c/f0af63ffa06306f12592cd3919fad6957b425e1b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:38.756Z

Updated: 2026-05-08T14:21:38.756Z

Reserved: 2026-05-01T14:12:56.007Z

Link: CVE-2026-43395

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:50.907

Modified: 2026-05-08T15:16:50.907

Link: CVE-2026-43395

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43395 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T04:00:14Z

Weaknesses

CWE-459

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object