CVE-2026-46309
Received Received - Intake
Memory Corruption in Linux Kernel DRM/XE

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Add validation in xe_vm_madvise_ioctl() to reject PAT indices with XE_COH_NONE coherency mode when applied to CPU cached memory. Using coh_none with CPU cached buffers is a security issue. When the kernel clears pages before reallocation, the clear operation stays in CPU cache (dirty). GPU with coh_none can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes. This aligns with the existing validation in vm_bind path (xe_vm_bind_ioctl_validate_bo). v2(Matthew brost) - Add fixes - Move one debug print to better place v3(Matthew Auld) - Should be drm/xe/uapi - More Cc v4(Shuicheng Lin) - Fix kmem leak issues by the way v5 - Remove kmem leak because it has been merged by another patch v6 - Remove the fix which is not related to current fix v7 - No change v8 - Rebase v9 - Limit the restrictions to iGPU v10 - No change (cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46309
EUVD
EUVD-2026-35119
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability involves a potential data leak where the GPU can read stale sensitive data directly from DRAM, bypassing CPU caches. Such a leak of sensitive data from previously freed pages of other processes could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of sensitive and personal data from unauthorized access or disclosure.

However, the provided information does not explicitly discuss compliance with any specific standards or regulations.

Executive Summary

This vulnerability exists in the Linux kernel's drm/xe/uapi component where the system fails to properly reject a specific PAT (Page Attribute Table) index called coh_none for CPU cached memory in the madvise operation.

The issue arises because using the coh_none coherency mode with CPU cached buffers is a security problem. When the kernel clears pages before reallocating them, the clearing operation remains in the CPU cache as dirty data. However, the GPU using coh_none can bypass the CPU caches and directly read stale sensitive data from DRAM. This can lead to leaking data from previously freed pages belonging to other processes.

The fix involves adding validation in the xe_vm_madvise_ioctl() function to reject PAT indices with the XE_COH_NONE coherency mode when applied to CPU cached memory, preventing this data leakage.

Impact Analysis

This vulnerability can lead to sensitive data leakage between processes on the same system. Specifically, because the GPU can bypass CPU caches and read stale data directly from DRAM, it may access information that was previously stored in memory pages freed by other processes.

Such data leakage could expose confidential information, potentially compromising user privacy and security.

Mitigation Strategies

The vulnerability has been resolved by adding validation in the Linux kernel's xe_vm_madvise_ioctl() function to reject PAT indices with XE_COH_NONE coherency mode when applied to CPU cached memory.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart