CVE-2026-43280 Overview
CVE-2026-43280 is an out-of-bounds read vulnerability in the Linux kernel's drm/xe graphics driver. The flaw resides in the madvise IOCTL handler, where the xe_pat_index_get_coh_mode() function accesses the xe->pat.table array without validating bounds. A local user can supply a crafted pat_index value to read kernel memory beyond the intended array.
The issue exists because madvise_args_are_sane() invokes xe_pat_index_get_coh_mode(xe, args->pat_index.val) before verifying that pat_index falls within [0, xe->pat.n_entries). The existing WARN_ON check fires only in debug builds and does not prevent the unsafe array read in production kernels.
Critical Impact
Local users with access to the Xe DRM device can trigger an out-of-bounds kernel read, potentially leaking sensitive kernel memory contents.
Affected Products
- Linux kernel versions containing the drm/xe driver with the madvise IOCTL
- Systems using Intel Xe graphics with the upstream xe DRM kernel driver
- Stable kernel branches prior to the fix commits 79f5265556, fbbe32618e, and ffba51100f
Discovery Timeline
- 2026-05-06 - CVE CVE-2026-43280 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43280
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the Intel Xe Direct Rendering Manager (DRM) driver. The madvise IOCTL accepts a pat_index value from userspace that selects an entry in the Page Attribute Table (PAT). The kernel uses this index to look up the coherency mode for the requested memory advice operation.
The sanity check function madvise_args_are_sane() calls xe_pat_index_get_coh_mode() directly with the user-supplied index. The lookup function indexes into xe->pat.table without first comparing the value against xe->pat.n_entries. As a result, an arbitrary attacker-controlled index dereferences memory adjacent to or far beyond the legitimate PAT table.
The upstream fix introduces an explicit bounds check before the array access. It also applies array_index_nospec() to mitigate Spectre-v1 speculative execution side channels when the index is later consumed.
Root Cause
The root cause is missing input validation on a user-controlled array index. The WARN_ON macro inside xe_pat_index_get_coh_mode() was relied on as an implicit sanity check, but WARN_ON only logs a warning and does not abort the unsafe access. In non-debug production kernels, the warning is ineffective and the out-of-bounds read proceeds.
Attack Vector
A local attacker with permission to open the Xe DRM device node, typically /dev/dri/cardN, issues a madvise IOCTL with a pat_index value larger than n_entries or a negative integer. The kernel reads memory at an attacker-influenced offset from the PAT table base. While the read result is not directly returned to userspace, the value influences the coherency mode decision, which can be observed through subsequent buffer behavior. Speculative execution paths also expose the read value to Spectre-style cache side-channel attacks.
No verified public exploit code is available. The vulnerability mechanism is documented in the upstream kernel commits referenced below.
Detection Methods for CVE-2026-43280
Indicators of Compromise
- Kernel log entries containing WARN_ON traces from xe_pat_index_get_coh_mode on debug-enabled kernels
- Unexpected madvise IOCTL calls against /dev/dri/card* or /dev/dri/renderD* from non-graphics processes
- Repeated DRM_IOCTL_XE_VM_BIND or madvise calls with large or unusual pat_index values
Detection Strategies
- Audit kernel ring buffer (dmesg) for warnings originating in drivers/gpu/drm/xe/xe_pat.c
- Monitor process behavior for non-graphics workloads issuing DRM IOCTLs against the Xe device
- Compare running kernel version against the fixed commits 79f5265556, fbbe32618e, and ffba51100f
Monitoring Recommendations
- Enable Linux audit rules covering ioctl syscalls on /dev/dri/* device nodes
- Track kernel version inventory across hosts using Intel Xe-class GPUs and flag unpatched systems
- Forward kernel logs to a centralized logging system to correlate DRM warnings with user activity
How to Mitigate CVE-2026-43280
Immediate Actions Required
- Apply the upstream stable kernel update containing commits 79f52655567a, fbbe32618e97, and ffba51100ff6
- Inventory all systems running the xe DRM driver, including workstations and servers using Intel Xe or Arc GPUs
- Restrict access to /dev/dri/* device nodes to trusted users and graphics-aware service accounts
Patch Information
The fix is published as a cherry-pick of upstream commit 944a3329b05510d55c69c2ef455136e2fc02de29. It adds a bounds check on pat_index against xe->pat.n_entries before any array access and uses array_index_nospec() to harden against Spectre-v1. Refer to the Kernel Git Commit Fix, Kernel Git Commit Update, and Kernel Git Commit Improvement for the patched code.
Workarounds
- Tighten permissions on /dev/dri/renderD* and /dev/dri/card* so only the video or render group can open them
- Unload the xe kernel module on systems that do not require Intel Xe graphics acceleration
- Use Linux Security Modules such as SELinux or AppArmor to restrict which processes may issue DRM IOCTLs
# Verify kernel version and check for the xe module
uname -r
lsmod | grep ^xe
# Restrict access to DRM render nodes to the render group
chgrp render /dev/dri/renderD*
chmod 0660 /dev/dri/renderD*
# Unload the xe driver if not required
sudo modprobe -r xe
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
