HIGH Published 2026-06-26

drm/xe EUStall StreamClose UAF

CVE-2026-53290

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.7MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: drm/xe/eustall: Fix drm_dev_put called before stream disable in close In xe_eu_stall_stream_close(), drm_dev_put() is called before the stream is disabled and its resources are freed. If this drops the last reference, the device structures could be freed while the subsequent cleanup code still accesses them, leading to a use-after-free. Fix this by moving drm_dev_put() after all device accesses are complete. This matches the ordering in xe_oa_release(). (cherry picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c)

02KernelScan AI Analysis

Engine v0.3.0

Risk summary

A use-after-free vulnerability exists in the Intel Xe GPU driver's EU stall sampling stream close path. A privileged user with access to the EU stall sampling interface can trigger device structure access after the device reference count drops to zero, potentially leading to kernel memory corruption, information disclosure, or a system crash. Exploitation requires high privileges to open and close the EU stall sampling stream.

Affecteddrivers/gpu/drm/xe/xe_eu_stall.c (DRM Xe EU stall sampling)

Vulnerability analysis

The vulnerability is a use-after-free in xe_eu_stall_stream_close() in the Intel Xe DRM driver. The original code called drm_dev_put(&gt->tile->xe->drm) before performing stream disable and resource cleanup. If this drm_dev_put() call drops the last reference to the DRM device, the device structures (including gt->tile->xe and gt->eu_stall) can be freed by the reference counting machinery. The subsequent code then accesses gt->eu_stall->stream_lock, calls xe_eu_stall_disable_locked(), xe_eu_stall_data_buf_destroy(), and xe_eu_stall_stream_free() — all of which dereference the now-freed device structures, constituting a use-after-free. The fix moves drm_dev_put() to after all device accesses are complete, matching the ordering used in the analogous xe_oa_release() function. The attack surface requires a process with sufficient privileges to open the EU stall sampling file descriptor (typically CAP_SYS_ADMIN or equivalent DRM access) and then close it. This is a local-only vulnerability with no network attack surface.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.33	`bebce43f34b5`
7.0	7.0.10	`84f2bfbe6e38`
mainline	7.1	`dc2d9842c67d`