HIGH
xe SR-IOV Migration UAF
CVE-2026-31490
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix use-after-free in migration restore When an error is returned from xe_sriov_pf_migration_restore_produce(), the data pointer is not set to NULL, which can trigger use-after-free in subsequent .write() calls. Set the pointer to NULL upon error to fix the problem. (cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)
02KernelScan AI Analysis
Risk summary
An attacker with local access to a system running Intel Xe GPU with SR-IOV enabled could potentially trigger memory corruption by repeatedly writing to the migration restore debugfs interface after causing an error condition. This could lead to system crashes or potentially arbitrary code execution with kernel privileges.
Vulnerability analysis
Summary: Use-after-free vulnerability in Intel Xe GPU driver SR-IOV migration restore functionality
Root Cause: Missing pointer nullification after memory deallocation in error handling path
Attack Surface: Local access through debugfs interface, requires physical access to system with Intel Xe GPU and SR-IOV capabilities
Fix Mechanism: Set the data pointer to NULL after calling xe_sriov_packet_free() to prevent dangling pointer access
Details: The vulnerability occurs in the xe_sriov_packet_write_single() function when xe_sriov_pf_migration_restore_produce() returns an error. The function calls xe_sriov_packet_free() to deallocate the data buffer but fails to set the data pointer to NULL. This leaves a dangling pointer that can be accessed in subsequent .write() calls, leading to use-after-free conditions. The fix adds a simple assignment to set *data = NULL after freeing the buffer, preventing the dangling pointer from being dereferenced.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.11 | e28552b4ddea |
| mainline | 7.0 | 87997b6c6516 |