CVE-2026-23350 Overview
A use after free vulnerability has been identified in the Linux kernel's Intel Xe DRM graphics driver, specifically in the execution queue management subsystem. The vulnerability occurs when the fini (finalization) function is not called during execution queue creation failure, leading to incomplete cleanup of queue resources from the Graphics micro-controller (GuC) list.
When an execution queue fails to initialize properly, the cleanup path skips the removal of the queue from the GuC list (which is part of guc_id allocation). This results in a damaged queue reference remaining in the exec_queue_lookup list, which can later lead to invalid memory references when the stale pointer is accessed.
Critical Impact
A damaged queue stored in the exec_queue_lookup list leads to invalid memory references, potentially causing system instability, denial of service, or exploitable memory corruption conditions.
Affected Products
- Linux Kernel (drm/xe driver)
- Systems with Intel Xe Graphics hardware
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23350 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23350
Vulnerability Analysis
The vulnerability resides in the Linux kernel's Intel Xe DRM driver, specifically in the execution queue initialization and error handling paths. The Xe driver manages GPU execution queues that interface with Intel's GuC (Graphics micro-controller) firmware for workload scheduling.
When queue init is called to set up an execution queue, several resources are allocated including a guc_id which registers the queue with the GuC firmware. If queue creation fails after partial initialization, the error path was not calling the corresponding fini function. This left the queue in an inconsistent state where:
- The guc_id remained allocated and registered with the GuC
- The queue reference persisted in the exec_queue_lookup list
- Other resources may have been freed, creating dangling pointer conditions
When subsequent operations attempt to access the queue through the lookup list, they encounter invalid memory references to partially or fully deallocated structures.
Root Cause
The root cause is improper resource lifecycle management in the execution queue error handling path. The principle that "every call to queue init should have a corresponding fini call" was violated during error conditions. The fix ensures that __xe_exec_queue_fini() is called to properly release the guc_id before any internal Logical Ring Contexts (LRCs) are freed. Additionally, xe_lrc_put() was modified to safely handle NULL parameters, similar to other kernel deallocation functions.
Attack Vector
This is a local vulnerability that could be triggered by:
- A local user with access to the graphics subsystem causing queue creation failures
- Resource exhaustion scenarios that force queue initialization failures
- Malformed requests to the DRM subsystem that trigger the vulnerable error path
While the attack vector is local and exploitation complexity may be high, successful exploitation could lead to kernel memory corruption, privilege escalation, or denial of service conditions on systems with Intel Xe graphics hardware.
Detection Methods for CVE-2026-23350
Indicators of Compromise
- Kernel oops or panics referencing drm/xe/queue or xe_exec_queue functions
- System log entries indicating invalid memory access in Xe graphics driver components
- Unexpected GPU driver crashes or hangs during graphics-intensive operations
- Memory corruption warnings in kernel ring buffer (dmesg) related to the Xe subsystem
Detection Strategies
- Monitor kernel logs for use-after-free warnings from KASAN (Kernel Address Sanitizer) if enabled
- Watch for anomalous crashes in the DRM/Xe driver subsystem that indicate memory corruption
- Deploy kernel-level monitoring for invalid memory access patterns in graphics driver code paths
- Use SentinelOne Singularity Platform to detect kernel-level exploitation attempts and memory corruption indicators
Monitoring Recommendations
- Enable kernel debugging features like KASAN on development and test systems to catch memory safety violations
- Implement syslog monitoring for patterns matching Xe driver crashes or memory errors
- Configure alerting for GPU driver instability that may indicate exploitation attempts
- Deploy endpoint detection solutions capable of monitoring kernel-level behavior anomalies
How to Mitigate CVE-2026-23350
Immediate Actions Required
- Update affected Linux kernel installations to patched versions that include the fix
- Review systems with Intel Xe graphics hardware for signs of driver instability
- Consider disabling or restricting access to the Xe graphics driver on critical systems until patching is complete
- Monitor affected systems for unusual kernel behavior or crashes related to graphics operations
Patch Information
The Linux kernel development team has released patches addressing this vulnerability. The fix ensures proper finalization is called during queue creation failures by reusing __xe_exec_queue_fini() and making xe_lrc_put() NULL-safe.
Patch commits:
- Primary fix: Kernel Git Commit 99f9b534
- Additional changes: Kernel Git Commit fae65b8a
The patch was cherry-picked from commit 393e5fea6f7d7054abc2c3d97a4cfe8306cd6079.
Workarounds
- Restrict local user access to the graphics subsystem using appropriate permissions and policies
- Disable the Intel Xe DRM driver (xe.ko) on systems where it is not required
- Use alternative graphics drivers if available for affected hardware
- Implement access controls to limit which users can interact with DRM device nodes
# Configuration example - Disable Xe driver loading
echo "blacklist xe" >> /etc/modprobe.d/blacklist.conf
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
