Description
In the Linux kernel, the following vulnerability has been resolved:

drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise

Add validation in xe_vm_madvise_ioctl() to reject PAT indices with
XE_COH_NONE coherency mode when applied to CPU cached memory.

Using coh_none with CPU cached buffers is a security issue. When the
kernel clears pages before reallocation, the clear operation stays in
CPU cache (dirty). GPU with coh_none can bypass CPU caches and read
stale sensitive data directly from DRAM, potentially leaking data from
previously freed pages of other processes.

This aligns with the existing validation in vm_bind path
(xe_vm_bind_ioctl_validate_bo).

v2(Matthew brost)
- Add fixes
- Move one debug print to better place

v3(Matthew Auld)
- Should be drm/xe/uapi
- More Cc

v4(Shuicheng Lin)
- Fix kmem leak issues by the way

v5
- Remove kmem leak because it has been merged by another patch

v6
- Remove the fix which is not related to current fix

v7
- No change

v8
- Rebase

v9
- Limit the restrictions to iGPU

v10
- No change

(cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)
Published: 2026-06-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel fails to validate a PAT index supplied by users through the xe_vm_madvise_ioctl() interface. When the kernel is asked to use the coh_none (XE_COH_NONE) coherency mode on a CPU‑cached buffer, the clear operation remains in the CPU cache and becomes dirty. A GPU that operates in coh_none mode can bypass CPU caches and read that stale data directly from DRAM, potentially exposing sensitive data that was previously freed by other processes. This flaw represents an improper input validation weakness that enables information disclosure.

Affected Systems

The affected product is the Linux kernel. Any kernel version that does not include the patch that rejects coh_none PAT indices for CPU‑cached memory is vulnerable. The relevant commit identifiers are 4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39 and 87f9b1528e1ffc1da3615d552c9a06aba5e20b00, so all releases preceding these commits should be considered at risk.

Risk and Exploitability

Based on the description, it is inferred that the vulnerability can be triggered via a DRM ioctl call, requiring a user‑level process that has write access to the DRM device. The CVSS score is 7.0, which is considered high. The EPSS score is not listed, and the vulnerability is not in the CISA KEV catalog, so exploitation may be limited to local users with GPU driver access. The risk remains significant until a vendor patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch rejecting coh_none PAT indices for CPU‑cached memory.
  • Update the DRM and GPU drivers to versions that validate PAT indices.
  • If a kernel or driver upgrade is not possible, restrict DRM device access to trusted users only and consider disabling GPU support for untrusted workloads to mitigate leakage under CWE‑524.

Generated by OpenCVE AI on June 9, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-200

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-524
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-200

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Add validation in xe_vm_madvise_ioctl() to reject PAT indices with XE_COH_NONE coherency mode when applied to CPU cached memory. Using coh_none with CPU cached buffers is a security issue. When the kernel clears pages before reallocation, the clear operation stays in CPU cache (dirty). GPU with coh_none can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes. This aligns with the existing validation in vm_bind path (xe_vm_bind_ioctl_validate_bo). v2(Matthew brost) - Add fixes - Move one debug print to better place v3(Matthew Auld) - Should be drm/xe/uapi - More Cc v4(Shuicheng Lin) - Fix kmem leak issues by the way v5 - Remove kmem leak because it has been merged by another patch v6 - Remove the fix which is not related to current fix v7 - No change v8 - Rebase v9 - Limit the restrictions to iGPU v10 - No change (cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)
Title drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-08T15:50:39.689Z

Reserved: 2026-05-13T15:03:33.111Z

Link: CVE-2026-46309

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:49.820

Modified: 2026-06-08T17:16:49.820

Link: CVE-2026-46309

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46309 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T04:30:42Z

Weaknesses