CVE-2026-23350
Received Received - Intake
Use-After-Free in Linux Kernel drm/xe Exec Queue Management

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list (which is part of guc_id allocation). A damaged queue stored in exec_queue_lookup list would lead to invalid memory reference, sooner or later. Call fini to free guc_id. This must be done before any internal LRCs are freed. Since the finalization with this extra call became very similar to __xe_exec_queue_fini(), reuse that. To make this reuse possible, alter xe_lrc_put() so it can survive NULL parameters, like other similar functions. v2: Reuse _xe_exec_queue_fini(). Make xe_lrc_put() aware of NULLs. (cherry picked from commit 393e5fea6f7d7054abc2c3d97a4cfe8306cd6079)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23350
EUVD
EUVD-2026-15321
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19.1 (inc) to 6.19.7 (exc)
linux linux_kernel 6.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's drm/xe/queue component. It occurs because every call to initialize a queue (queue init) must be paired with a corresponding finalization call (fini). If the fini call is skipped when queue creation fails, the queue is not properly removed from the GuC list, which is involved in guc_id allocation.

As a result, a damaged queue remains stored in the exec_queue_lookup list, which can lead to invalid memory references at some point later. The fix involves ensuring that fini is called to free the guc_id before any internal LRCs are freed, preventing the invalid memory reference issue.

Impact Analysis

The impact of this vulnerability is that it can cause invalid memory references within the Linux kernel. This can lead to system instability, crashes, or potentially allow an attacker to exploit the kernel memory corruption for further malicious actions.

Mitigation Strategies

The vulnerability is resolved by ensuring that every call to queue initialization has a corresponding finalization call (fini) to properly free resources and avoid invalid memory references.

Immediate mitigation steps include updating the Linux kernel to a version that includes the fix where the function _xe_exec_queue_fini() is reused and xe_lrc_put() is modified to handle NULL parameters safely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart