CVE-2026-52976
Received Received - Intake
Memory Leak in Linux Kernel DRM/XE Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Two error handling issues exist in xe_exec_queue_create_ioctl(): 1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in preempt fence mode, xe_vm_add_compute_exec_queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed. 2. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has succeeded, the error path does not call xe_hw_engine_group_del_exec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free. Fix both by: - Changing the xe_hw_engine_group_add_exec_queue() failure path to jump to kill_exec_queue so that xe_exec_queue_kill() properly removes the queue from the VM's compute list. - Adding a del_hw_engine_group label before kill_exec_queue for the xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup. (cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52976
EUVD
EUVD-2026-38844
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's drm/xe component, specifically in the xe_exec_queue_create_ioctl() function. It involves two error handling issues during the creation and cleanup of execution queues.

  • First, if xe_hw_engine_group_add_exec_queue() fails, the error handling skips a necessary cleanup step (xe_exec_queue_kill()), leaving a dangling pointer in the VM's compute exec queue list.
  • Second, if xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has succeeded, the queue is freed without being properly removed from the hardware engine group list, causing a use-after-free condition.

The fix involves adjusting the error paths to ensure proper cleanup: making sure xe_exec_queue_kill() is called to remove the queue from the VM's list and removing the queue from the hardware engine group before freeing it.

Impact Analysis

This vulnerability can lead to dangling pointers and use-after-free conditions within the Linux kernel's graphics execution queue management. Such issues may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the drm/xe error cleanup in xe_exec_queue_create_ioctl().

The fix involves proper error handling in the xe_exec_queue_create_ioctl() function to prevent use-after-free and dangling pointer issues.

Applying the patch or upgrading to the kernel version containing commit 37c831f401746a45d510b312b0ed7a77b1e06ec8 will resolve the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart