CVE-2026-23466
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Open-code GGTT MMIO access protection
GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded. However, if driver load fails, this protection is insufficient because drm_dev_unplug() is never called.
Additionally, devm release functions cannot guarantee that all BOs with GGTT mappings are destroyed before the GGTT MMIO region is removed, as some BOs may be freed asynchronously by worker threads.
To address this, introduce an open-coded flag, protected by the GGTT lock, that guards GGTT MMIO access. The flag is cleared during the dev_fini_ggtt devm release function to ensure MMIO access is disabled once teardown begins.
(cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's drm/xe, GGTT MMIO access protection was insufficient during driver load failure, leading to potential use-after-free; fixed by introducing a flag guarded by the GGTT lock.
Vulnerability
The vulnerability resides in the drm/xe driver for Intel GPUs. GGTT MMIO access protection previously relied on hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound. However, if driver load fails, this protection is insufficient because drm_dev_unplug() is never called. Additionally, devm release functions cannot guarantee that all BOs with GGTT mappings are destroyed before the GGTT MMIO region is removed, as some BOs may be freed asynchronously by worker threads.
Exploitation
Exploitation requires a scenario where the driver load fails. An attacker with local access and the ability to trigger a failed driver load could potentially leverage the race condition between worker threads freeing BOs and the removal of the GGTT MMIO region, leading to a use-after-free condition.
Impact
Successful exploitation could result in memory corruption, which may lead to privilege escalation or denial of service. The vulnerability is rated High with a CVSS v3 score of 7.8, indicating significant impact.
Mitigation
The fix introduces an open-coded flag, protected by the GGTT lock, that guards GGTT MMIO access. The flag is cleared during the dev_fini_ggtt devm release function to ensure MMIO access is disabled once teardown begins. This patch has been applied to the Linux kernel stable tree.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.