HIGH
drm/xe DmaBuf Leak
CVE-2026-46201
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI3.3LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it. (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)
02KernelScan AI Analysis
Risk summary
Systems with Intel Xe GPUs are vulnerable to a DMA-buf attachment resource leak that can be triggered by local users with DRM device access. Repeated exploitation could lead to resource exhaustion and system instability.
Vulnerability analysis
The vulnerability occurs in xe_gem_prime_import() when dma_buf_dynamic_attach() succeeds but xe_dma_buf_init_obj() fails. The original code failed to call dma_buf_detach() in this error path, causing DMA-buf attachments to leak. The fix adds proper cleanup by calling dma_buf_detach() before returning the error. This affects local users who can access DRM device nodes and requires Intel Xe GPU hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.90 | d394669e1949 |
| 6.18 | 6.18.32 | 0afa8b1ef582 |
| 7.0 | 7.0.9 | eea1e10f8d99 |
| mainline | 7.1-rc2 | 111ab678471b |