CVE-2026-43280

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise<br /> <br /> When user provides a bogus pat_index value through the madvise IOCTL, the<br /> xe_pat_index_get_coh_mode() function performs an array access without<br /> validating bounds. This allows a malicious user to trigger an out-of-bounds<br /> kernel read from the xe-&gt;pat.table array.<br /> <br /> The vulnerability exists because the validation in madvise_args_are_sane()<br /> directly calls xe_pat_index_get_coh_mode(xe, args-&gt;pat_index.val) without<br /> first checking if pat_index is within [0, xe-&gt;pat.n_entries).<br /> <br /> Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug<br /> builds, it still performs the unsafe array access in production kernels.<br /> <br /> v2(Matthew Auld)<br /> - Using array_index_nospec() to mitigate spectre attacks when the value<br /> is used<br /> <br /> v3(Matthew Auld)<br /> - Put the declarations at the start of the block<br /> <br /> (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)