CVE-2026-46224
Analyzed Analyzed - Analysis Complete
Memory Leak in Linux Kernel DRM/XE Driver

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46224
EUVD
EUVD-2026-32851
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel From 6.18 (inc) to 6.18.32 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Linux kernel's drm/xe component. Specifically, when the function drm_gpuvm_resv_object_alloc() fails during allocation, a pre-allocated buffer object (bo) is not freed properly, causing a resource leak.

The issue arises because xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error, but xe_dma_buf_init_obj() itself does not free the bo on its own error paths. This leads to ambiguity in xe_gem_prime_import() about whether the bo should be freed, resulting in the leak.

The fix involves adding explicit freeing of the bo (using xe_bo_free(storage)) before returning an error, and adding comments to clarify ownership semantics of the storage object.

Impact Analysis

This vulnerability can lead to a memory leak in the Linux kernel's graphics subsystem. Over time, repeated allocation failures without proper freeing of resources could cause increased memory usage, potentially degrading system performance or leading to resource exhaustion.

Such leaks might affect system stability, especially in environments with heavy graphics workloads or constrained memory resources.

Mitigation Strategies

The vulnerability is fixed in the Linux kernel by ensuring that the buffer object (bo) is properly freed on allocation failure in the drm/xe driver. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix described in the commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9.

No other immediate mitigation steps or workarounds are provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart