CVE-2026-43280
Undergoing Analysis Undergoing Analysis - In Progress
Bounds Check Bypass in Linux Kernel DRM/XE

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43280
EUVD
EUVD-2026-27676
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 6.18 (inc) to 6.18.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's drm/xe component where a function called xe_pat_index_get_coh_mode() accesses an array without properly checking if the index (pat_index) is within valid bounds.

When a user provides an invalid pat_index value through the madvise IOCTL, the function performs an out-of-bounds (OOB) kernel read from the xe->pat.table array. This happens because the validation function madvise_args_are_sane() calls xe_pat_index_get_coh_mode() without first verifying that pat_index is within the allowed range.

Although debug builds have a warning (WARN_ON) to catch this, production kernels still perform the unsafe array access, potentially allowing a malicious user to read kernel memory out-of-bounds.

Impact Analysis

This vulnerability allows a malicious user to trigger an out-of-bounds kernel memory read, which can lead to unauthorized disclosure of sensitive kernel memory contents.

Such unauthorized kernel memory reads can potentially expose sensitive information, aid in further attacks such as privilege escalation, or compromise system integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart