CVE-2026-43280
Awaiting Analysis Awaiting Analysis - Queue
Bounds Check Bypass in Linux Kernel DRM/XE

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-06
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43280
EUVD
EUVD-2026-27676
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's drm/xe component where a function called xe_pat_index_get_coh_mode() accesses an array without properly checking if the index (pat_index) is within valid bounds.

When a user provides an invalid pat_index value through the madvise IOCTL, the function performs an out-of-bounds (OOB) kernel read from the xe->pat.table array. This happens because the validation function madvise_args_are_sane() calls xe_pat_index_get_coh_mode() without first verifying that pat_index is within the allowed range.

Although debug builds have a warning (WARN_ON) to catch this, production kernels still perform the unsafe array access, potentially allowing a malicious user to read kernel memory out-of-bounds.


How can this vulnerability impact me? :

This vulnerability allows a malicious user to trigger an out-of-bounds kernel memory read, which can lead to unauthorized disclosure of sensitive kernel memory contents.

Such unauthorized kernel memory reads can potentially expose sensitive information, aid in further attacks such as privilege escalation, or compromise system integrity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart