CVE-2026-46309

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/06/2026
Last modified:
08/07/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise<br /> <br /> Add validation in xe_vm_madvise_ioctl() to reject PAT indices with<br /> XE_COH_NONE coherency mode when applied to CPU cached memory.<br /> <br /> Using coh_none with CPU cached buffers is a security issue. When the<br /> kernel clears pages before reallocation, the clear operation stays in<br /> CPU cache (dirty). GPU with coh_none can bypass CPU caches and read<br /> stale sensitive data directly from DRAM, potentially leaking data from<br /> previously freed pages of other processes.<br /> <br /> This aligns with the existing validation in vm_bind path<br /> (xe_vm_bind_ioctl_validate_bo).<br /> <br /> v2(Matthew brost)<br /> - Add fixes<br /> - Move one debug print to better place<br /> <br /> v3(Matthew Auld)<br /> - Should be drm/xe/uapi<br /> - More Cc<br /> <br /> v4(Shuicheng Lin)<br /> - Fix kmem leak issues by the way<br /> <br /> v5<br /> - Remove kmem leak because it has been merged by another patch<br /> <br /> v6<br /> - Remove the fix which is not related to current fix<br /> <br /> v7<br /> - No change<br /> <br /> v8<br /> - Rebase<br /> <br /> v9<br /> - Limit the restrictions to iGPU<br /> <br /> v10<br /> - No change<br /> <br /> (cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.18 (including) 6.18.32 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.9 (excluding)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*