drm/xe/dma-buf: fix UAF with retry loop_CVE-2026-52950

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/dma-buf: fix UAF with retry loop

Retry doesn't work here, since bo will be freed on error, leading to
UAF. However, now that we do the alloc & init before the attach, we can
now combine this as one unit and have the init do the alloc for us. This
should make the retry safe.

Reported by Sashiko.

v2: Fix up the error unwind (CI)

(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)

Basic Information

ID CVE-2026-52950

Source Linux

Published Jun 24, 2026 at 16:28

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version eb289a5f6cc668853f9b2ea6aca04afe58ed11c7

Affected Versions Linux Linux eb289a5f6cc668853f9b2ea6aca04afe58ed11c7
Linux Linux eb289a5f6cc668853f9b2ea6aca04afe58ed11c7
Linux Linux eb289a5f6cc668853f9b2ea6aca04afe58ed11c7
Linux Linux 6.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/dma-buf: fix UAF with retry loop\n\nRetry doesn't work here, since bo will be freed on error, leading to\nUAF. However, now that we do the alloc & init before the attach, we can\nnow combine this as one unit and have the init do the alloc for us. This\nshould make the retry safe.\n\nReported by Sashiko.\n\nv2: Fix up the error unwind (CI)\n\n(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)",
    "published": "2026-06-24T16:28:33.469Z",
    "modified": "2026-06-28T06:37:06.988Z",
    "type": "cve",
    "title": "drm/xe/dma-buf: fix UAF with retry loop",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/39fdac6be02eb7c3460518c1c4085f75f935c4ce\nhttps://git.kernel.org/stable/c/827062952ed9bdf4220466c1f05ce452d04bdedf\nhttps://git.kernel.org/stable/c/155a372a1cc50fa93387c5d3cdfd614a61e1afd1",
    "id": "CVE-2026-52950",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux eb289a5f6cc668853f9b2ea6aca04afe58ed11c7\nLinux Linux eb289a5f6cc668853f9b2ea6aca04afe58ed11c7\nLinux Linux eb289a5f6cc668853f9b2ea6aca04afe58ed11c7\nLinux Linux 6.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "eb289a5f6cc668853f9b2ea6aca04afe58ed11c7",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply