Description
In the Linux kernel, the following vulnerability has been resolved:

media: rc: xbox_remote: heed DMA restrictions

The buffer for IO must not be part of the device structure
because that violates the DMA coherency rules.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Xbox Remote control driver, where an IO buffer is placed inside the device structure, violating the kernel’s DMA coherency rules. This misplacement can cause stale or corrupted data to be exchanged between the CPU and the device, potentially leading to kernel memory corruption. If an attacker can cause the driver to misbehave, they may be able to alter kernel memory or disrupt system integrity.

Affected Systems

Any Linux system running a kernel that includes the xbox_remote driver before the patch is susceptible. The vendor does not list specific kernel versions, so any build with the unpatched driver is considered vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. With an EPSS score of less than 1 % and no listing in the CISA KEV catalog, public exploitation is unlikely so far. The vulnerability applies when the xbox_remote module is loaded, so a local attacker with sufficient privileges to load or interact with the module could potentially trigger the fault. Disabling or removing the driver reduces the attack surface.

Generated by OpenCVE AI on June 10, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates the xbox_remote driver patch to move the DMA buffer out of the device structure.
  • If Xbox remote functionality is not required, unload or blacklist the xbox_remote module to eliminate the vulnerable code path from memory.
  • Audit any software or kernel modules that previously relied on the xbox_remote driver to ensure they do not use the old interface and have proper buffer validation to guard against related weaknesses.

Generated by OpenCVE AI on June 10, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-125

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-125

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: rc: xbox_remote: heed DMA restrictions The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.
Title media: rc: xbox_remote: heed DMA restrictions
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:04:50.463Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46236

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:39.240

Modified: 2026-06-10T21:10:28.280

Link: CVE-2026-46236

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46236 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:15:28Z

Weaknesses