Description
In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()

Two error handling issues exist in xe_exec_queue_create_ioctl():

1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps
to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in
preempt fence mode, xe_vm_add_compute_exec_queue() has already added
the queue to the VM's compute exec queue list. Skipping the kill
leaves the queue on that list, leading to a dangling pointer after
the queue is freed.

2. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has
succeeded, the error path does not call
xe_hw_engine_group_del_exec_queue() to remove the queue from the hw
engine group list. The queue is then freed while still linked into
the hw engine group, causing a use-after-free.

Fix both by:
- Changing the xe_hw_engine_group_add_exec_queue() failure path to jump
to kill_exec_queue so that xe_exec_queue_kill() properly removes the
queue from the VM's compute list.
- Adding a del_hw_engine_group label before kill_exec_queue for the
xa_alloc() failure path, which removes the queue from the hw engine
group before proceeding with the rest of the cleanup.

(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel driver for DRM Xe contains a flaw in xe_exec_queue_create_ioctl() where error handling does not properly clean up execution queues. If the hardware engine group add fails while the virtual machine is in preempt fence mode, the queue remains on the VM's compute list after being freed, leaving a dangling pointer. Similarly, if memory allocation fails after the engine group add succeeds, the queue stays linked in the hardware engine group list and is then freed, causing a use‑after‑free condition. These errors can lead to memory corruption and potentially allow a local attacker to gain kernel privileges or crash the system. The weakness is a classic use‑after‑free bug.

Affected Systems

All flavors of the Linux kernel that include the DRM Xe subsystem before the patch referenced in commit 37c831f4. The issue affects implementations where xe_exec_queue_create_ioctl() is exercised by DRM X‑e virtual machines or graphics workloads. No specific vendor or version numbers are listed, so any kernel containing the vulnerable code is potentially affected.

Risk and Exploitability

Based on the description, it is inferred that this flaw is a local kernel‑level issue that would require an attacker with sufficient privileges to execute code in the kernel context. No publicly available CVSS or EPSS score is listed, and the vulnerability is not in the CISA KEV catalog. Because the problem relies on internal state in the DRM Xe driver, it is inferred that widespread exploitation is unlikely without an additional local foothold. The use‑after‑free condition can lead to memory corruption, and it is inferred that a successful exploit could crash or compromise the host.

Generated by OpenCVE AI on June 24, 2026 at 21:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for xe_exec_queue_create_ioctl(), specifically after commit 37c831f4
  • Reboot the system to load the updated kernel and ensure the DRM Xe driver is running the patched code
  • Monitor kernel logs for any DRM Xe execution queue errors to identify any lingering issues.

Generated by OpenCVE AI on June 24, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Two error handling issues exist in xe_exec_queue_create_ioctl(): 1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in preempt fence mode, xe_vm_add_compute_exec_queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed. 2. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has succeeded, the error path does not call xe_hw_engine_group_del_exec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free. Fix both by: - Changing the xe_hw_engine_group_add_exec_queue() failure path to jump to kill_exec_queue so that xe_exec_queue_kill() properly removes the queue from the VM's compute list. - Adding a del_hw_engine_group label before kill_exec_queue for the xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup. (cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
Title drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:53.147Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52976

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:15:16Z

Weaknesses