VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46216

CVE-2026-46216

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()

When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL. In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.

Fix that by introducing a NULL check on media_gt and bailing out early if so.

While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.

v2: - Get address for gsc only after checking that gt is not NULL. (Shuicheng) - Drop the NULL check for gsc. (Shuicheng) v3: - Add "Fixes" and "Cc: <stable...>" tags. (Matt)

(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in Linux kernel's drm/xe/hdcp when media GT is disabled via configfs, leading to kernel pagefault.

Vulnerability

In the Linux kernel, the intel_hdcp_gsc_check_status() function in drivers/gpu/drm/xe/display/ext/intel_hdcp_gsc.c does not check if media_gt is NULL before accessing media_gt->uc.gsc. When the media GT is disabled via configfs, media_gt remains NULL, causing a kernel pagefault on dereference. This affects kernel versions prior to the fix commit bfaf87e84ca3 (cherry-picked to stable).

Exploitation

An attacker would need the ability to disable the media GT via configfs (requires privileged access) and then trigger the HDCP GSC status check path, e.g., by initiating an HDCP authentication. No user interaction beyond system configuration is required; the race window is not a factor as it is a straightforward NULL dereference.

Impact

Successful exploitation results in a kernel NULL pointer dereference, leading to a system crash (denial of service). The attacker does not gain code execution or privilege escalation; the impact is limited to availability (DoS).

Mitigation

The fix is included in Linux kernel commit bfaf87e84ca3 ("drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()") [1]. This commit has been cherry-picked to stable kernels. Users should update to a kernel version containing this fix. If patching is not possible, ensure that the media GT is not disabled via configfs, or avoid triggering HDCP operations when media GT is disabled. The vulnerability is not listed in CISA KEV as of publication.

References
  1. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

5
d8ab4b47edf4

drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGustavo SousaApr 16, 2026Fixed in 7.0.9via kernel-cna
commit
1 file changed · +10 3
  • drivers/gpu/drm/xe/display/xe_hdcp_gsc.c+10 3 modified
    diff --git a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
index 29c72aa4b0d2d7..33494b86205d2e 100644
--- a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
+++ b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
@@ -37,9 +37,17 @@ static bool intel_hdcp_gsc_check_status(struct drm_device *drm)
 	struct xe_device *xe = to_xe_device(drm);
 	struct xe_tile *tile = xe_device_get_root_tile(xe);
 	struct xe_gt *gt = tile->media_gt;
-	struct xe_gsc *gsc = &gt->uc.gsc;
+	struct xe_gsc *gsc;
+
+	if (!gt) {
+		drm_dbg_kms(&xe->drm,
+			    "not checking GSC status for HDCP2.x: media GT not present or disabled\n");
+		return false;
+	}
+
+	gsc = &gt->uc.gsc;
 
-	if (!gsc || !xe_uc_fw_is_available(&gsc->fw)) {
+	if (!xe_uc_fw_is_available(&gsc->fw)) {
 		drm_dbg_kms(&xe->drm,
 			    "GSC Components not ready for HDCP2.x\n");
 		return false;
-- 
cgit 1.3-korg
60a1e131a811

drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGustavo SousaApr 16, 2026Fixed in 7.1-rc3via kernel-cna
commit
1 file changed · +10 3
  • drivers/gpu/drm/xe/display/xe_hdcp_gsc.c+10 3 modified
    diff --git a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
index 29c72aa4b0d2d7..33494b86205d2e 100644
--- a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
+++ b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
@@ -37,9 +37,17 @@ static bool intel_hdcp_gsc_check_status(struct drm_device *drm)
 	struct xe_device *xe = to_xe_device(drm);
 	struct xe_tile *tile = xe_device_get_root_tile(xe);
 	struct xe_gt *gt = tile->media_gt;
-	struct xe_gsc *gsc = &gt->uc.gsc;
+	struct xe_gsc *gsc;
+
+	if (!gt) {
+		drm_dbg_kms(&xe->drm,
+			    "not checking GSC status for HDCP2.x: media GT not present or disabled\n");
+		return false;
+	}
+
+	gsc = &gt->uc.gsc;
 
-	if (!gsc || !xe_uc_fw_is_available(&gsc->fw)) {
+	if (!xe_uc_fw_is_available(&gsc->fw)) {
 		drm_dbg_kms(&xe->drm,
 			    "GSC Components not ready for HDCP2.x\n");
 		return false;
-- 
cgit 1.3-korg
bfaf87e84ca3

drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()

https://github.com/torvalds/linuxGustavo SousaApr 16, 2026via text-mined
commit
1 file changed · +10 2
  • drivers/gpu/drm/xe/display/xe_hdcp_gsc.c+10 2 modified
    @@ -37,9 +37,17 @@ static bool intel_hdcp_gsc_check_status(struct drm_device *drm)
 	struct xe_device *xe = to_xe_device(drm);
 	struct xe_tile *tile = xe_device_get_root_tile(xe);
 	struct xe_gt *gt = tile->media_gt;
-	struct xe_gsc *gsc = &gt->uc.gsc;
+	struct xe_gsc *gsc;
+
+	if (!gt) {
+		drm_dbg_kms(&xe->drm,
+			    "not checking GSC status for HDCP2.x: media GT not present or disabled\n");
+		return false;
+	}
+
+	gsc = &gt->uc.gsc;
 
-	if (!gsc || !xe_uc_fw_is_available(&gsc->fw)) {
+	if (!xe_uc_fw_is_available(&gsc->fw)) {
 		drm_dbg_kms(&xe->drm,
 			    "GSC Components not ready for HDCP2.x\n");
 		return false;
d8ab4b47edf4

drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGustavo SousaApr 16, 2026via nvd-ref
commit
1 file changed · +10 3
  • drivers/gpu/drm/xe/display/xe_hdcp_gsc.c+10 3 modified
    diff --git a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
index 29c72aa4b0d2d7..33494b86205d2e 100644
--- a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
+++ b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
@@ -37,9 +37,17 @@ static bool intel_hdcp_gsc_check_status(struct drm_device *drm)
 	struct xe_device *xe = to_xe_device(drm);
 	struct xe_tile *tile = xe_device_get_root_tile(xe);
 	struct xe_gt *gt = tile->media_gt;
-	struct xe_gsc *gsc = &gt->uc.gsc;
+	struct xe_gsc *gsc;
+
+	if (!gt) {
+		drm_dbg_kms(&xe->drm,
+			    "not checking GSC status for HDCP2.x: media GT not present or disabled\n");
+		return false;
+	}
+
+	gsc = &gt->uc.gsc;
 
-	if (!gsc || !xe_uc_fw_is_available(&gsc->fw)) {
+	if (!xe_uc_fw_is_available(&gsc->fw)) {
 		drm_dbg_kms(&xe->drm,
 			    "GSC Components not ready for HDCP2.x\n");
 		return false;
-- 
cgit 1.3-korg
60a1e131a811

drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGustavo SousaApr 16, 2026via nvd-ref
commit
1 file changed · +10 3
  • drivers/gpu/drm/xe/display/xe_hdcp_gsc.c+10 3 modified
    diff --git a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
index 29c72aa4b0d2d7..33494b86205d2e 100644
--- a/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
+++ b/drivers/gpu/drm/xe/display/xe_hdcp_gsc.c
@@ -37,9 +37,17 @@ static bool intel_hdcp_gsc_check_status(struct drm_device *drm)
 	struct xe_device *xe = to_xe_device(drm);
 	struct xe_tile *tile = xe_device_get_root_tile(xe);
 	struct xe_gt *gt = tile->media_gt;
-	struct xe_gsc *gsc = &gt->uc.gsc;
+	struct xe_gsc *gsc;
+
+	if (!gt) {
+		drm_dbg_kms(&xe->drm,
+			    "not checking GSC status for HDCP2.x: media GT not present or disabled\n");
+		return false;
+	}
+
+	gsc = &gt->uc.gsc;
 
-	if (!gsc || !xe_uc_fw_is_available(&gsc->fw)) {
+	if (!xe_uc_fw_is_available(&gsc->fw)) {
 		drm_dbg_kms(&xe->drm,
 			    "GSC Components not ready for HDCP2.x\n");
 		return false;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing NULL pointer check on media_gt before dereferencing it to access the GSC structure."

Attack vector

An attacker who can disable the media GT via configfs (a kernel configuration interface) causes `tile->media_gt` to remain NULL [patch_id=2897686]. When the HDCP subsystem subsequently calls `intel_hdcp_gsc_check_status()`, the code dereferences the NULL pointer via `gt->uc.gsc`, triggering a kernel pagefault and a denial of service. No special network path or payload is required; the precondition is local control over configfs to disable the media GT.

Affected code

The vulnerable function is `intel_hdcp_gsc_check_status()` in `drivers/gpu/drm/xe/display/xe_hdcp_gsc.c` [patch_id=2897686]. The function dereferences `tile->media_gt` without a NULL check, then immediately takes the address of `gt->uc.gsc`.

What the fix does

The patch adds a NULL check on `gt` (the `media_gt` pointer) at the top of `intel_hdcp_gsc_check_status()` [patch_id=2897686]. If `gt` is NULL, the function logs a debug message and returns `false` early, preventing the dereference. The `gsc` pointer assignment is moved after the check, and the redundant `!gsc` guard is removed because `gsc` cannot be NULL when `gt` is valid.

Preconditions

  • configThe media GT must be disabled via configfs, leaving tile->media_gt as NULL.
  • inputThe HDCP subsystem must invoke intel_hdcp_gsc_check_status() (e.g., during HDCP 2.x authentication).

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.