Description
In the Linux kernel, the following vulnerability has been resolved:

drm/xe/dma-buf: fix UAF with retry loop

Retry doesn't work here, since bo will be freed on error, leading to
UAF. However, now that we do the alloc & init before the attach, we can
now combine this as one unit and have the init do the alloc for us. This
should make the retry safe.

Reported by Sashiko.

v2: Fix up the error unwind (CI)

(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In 2026, a use‑after‑free flaw was handling path of the Linux kernel. The bug arises when the buffer object is freed during an error path and later retried, causing access to a freed object and potential kernel memory corruption., but the description does not specify privilege escalation or arbitrary code execution.

Affected Systems

Linux kernels that do not contain commit 4796694, the change that allocates and initializes the buffer before attachment, remain vulnerable. Versions prior to the inclusion of this commit in major distributions are at risk; any custom kernels lacking the fix should be examined.

Risk and Exploitability

Classified as a use‑after‑free and a data‑synchronization error (CWE‑825), the vulnerability carries a CVSS score of 7.8. The EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog. While no public exploitation is documented, an attacker would need to trigger the specific error condition in the DRM subsystem, which typically requires a driver or root-level interaction.

Generated by OpenCVE AI on June 28, 2026 at 13:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes commit 4796694, ensuring the retry logic is replaced with a safe allocation-before-attachment pattern.
  • If an immediate kernel upgrade is not possible, restrict DRM Xe driver usage to signed, trusted modules, and disable any custom or unsigned kernel modules that interact with the DRM subsystem.
  • Continuously monitor kernel logs for DMA buffer allocation failures or kernel panics that could indicate exploitation attempts, and treat any unanticipated errors as a potential security event.

Generated by OpenCVE AI on June 28, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Sat, 27 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: fix UAF with retry loop Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe. Reported by Sashiko. v2: Fix up the error unwind (CI) (cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)
Title drm/xe/dma-buf: fix UAF with retry loop
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-30T12:09:45.252Z

Reserved: 2026-06-09T07:44:35.372Z

Link: CVE-2026-52950

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52950 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference