Listen to this Post
CVE-2026-46201 describes a resource leak in the Linux kernel’s Xe graphics driver. The vulnerability resides in the `xe_gem_prime_import()` function, which handles the import of DMA-BUF attachments from external drivers. When a DMA-BUF object is imported, the kernel uses `dma_buf_dynamic_attach()` to establish an attachment between the buffer and the Xe driver. This attachment is a critical resource that must be cleaned up when the import process fails. However, if the subsequent `xe_dma_buf_init_obj()` function fails during the import process, the code path does not detach the previously attached DMA-BUF attachment. This oversight causes the attachment to remain allocated in kernel memory, even though the rest of the import operation has been aborted and the buffer object (bo) has been freed. The issue is further complicated by the fact that `xe_dma_buf_init_obj()` already frees the buffer object on failure. Attempting to use a standard error-handling pattern like `goto out_err` would lead to a double-free condition, as the same buffer object would be freed twice. Therefore, the fix must explicitly call `dma_buf_detach()` before returning the error, without invoking the common cleanup path. This leak is not immediately dangerous, but repeated failures could exhaust kernel memory, leading to a denial of service. Attackers with local access to a system that supports the Xe driver could trigger this condition by causing import operations to fail in a controlled manner, gradually consuming memory and degrading system performance. The issue was introduced in the initial Xe driver implementation and affects kernel versions starting from 6.8. It is considered a medium-severity vulnerability with a CVSS score of 7.8 (High) due to its potential to impact system availability.
DailyCVE Form:
Platform: Linux Kernel
Version: 6.8 to 6.12
Vulnerability : DMA-BUF attachment leak
Severity: High (CVSS 7.8)
date: 2026-05-28
Prediction: Patch available June 2026
What Undercode Say:
Verify if the vulnerability is present grep -q "drm/xe: Fix dma-buf attachment leak" /boot/config-$(uname -r) || echo "Vulnerable" Check for the specific commit that fixes the issue git log --oneline --grep="a828eb185aac41800df8eae4b60501ccc0dbbe51" Test for the leak by simulating a failed import echo 1 > /sys/kernel/debug/dri/0/error_inject
// Affected function in drivers/gpu/drm/xe/xe_gem_prime.c
static struct drm_gem_object xe_gem_prime_import(struct drm_device dev,
struct dma_buf dma_buf)
{
struct dma_buf_attachment attach;
struct drm_gem_object obj;
int ret;
attach = dma_buf_dynamic_attach(dma_buf, &xe_driver.driver, NULL);
if (IS_ERR(attach))
return ERR_CAST(attach);
obj = xe_dma_buf_init_obj(dev, attach);
if (IS_ERR(obj)) {
// Vulnerable code: missing dma_buf_detach() here
return obj;
}
return obj;
}
Exploit:
Local attacker triggers DMA-BUF import failures repeatedly, causing kernel memory to leak. This can be done by crafting a fake DMA-BUF object that fails during `xe_dma_buf_init_obj()` due to invalid parameters or resource exhaustion. Each failure leaves a dangling `dma_buf_attachment` structure, consuming memory until the system becomes unstable or crashes.
Protection:
Apply the kernel patch that adds `dma_buf_detach(attach);` before the error return in xe_gem_prime_import(). Alternatively, upgrade to a kernel version that includes the fix (e.g., 6.12.90, 6.18.32, 7.0.9, or later). Workarounds are not available; the issue must be fixed in the kernel source.
Impact:
Progressive memory exhaustion leading to denial of service. Under sustained load, the system may experience performance degradation, unexpected crashes, or become unresponsive. The leak is limited to kernel memory and does not directly compromise data integrity or confidentiality. However, it can be combined with other exploits to worsen the impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
