CVE-2026-46201 Overview
CVE-2026-46201 is a resource leak vulnerability in the Linux kernel's Intel Xe Direct Rendering Manager (DRM) driver. The issue resides in the xe_gem_prime_import() function, where a failure path in xe_dma_buf_init_obj() does not detach a previously created dma-buf attachment. The dynamic attachment acquired via dma_buf_dynamic_attach() is leaked when object initialization fails, leading to resource accumulation in the kernel's graphics buffer-sharing subsystem.
Critical Impact
Repeated triggering of the failure path leaks dma-buf attachments in kernel memory, potentially leading to resource exhaustion and degraded system stability on hosts running the affected drm/xe driver.
Affected Products
- Linux kernel drm/xe driver (Intel Xe graphics)
- Stable kernel branches receiving the cherry-pick from commit a828eb185aac41800df8eae4b60501ccc0dbbe51
- Systems using xe_gem_prime_import() for dma-buf object import
Discovery Timeline
- 2026-05-28 - CVE-2026-46201 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46201
Vulnerability Analysis
The vulnerability is a memory/resource leak [CWE-401-class] in the Intel Xe DRM driver's PRIME import path. PRIME is the DRM subsystem mechanism for sharing GEM (Graphics Execution Manager) buffer objects between drivers using dma-buf file descriptors. When user space imports a dma-buf into the Xe driver, xe_gem_prime_import() calls dma_buf_dynamic_attach() to register the driver as a dynamic importer of the buffer.
If the subsequent call to xe_dma_buf_init_obj() fails, the function returns an error without invoking dma_buf_detach(). The dynamic attachment remains registered against the exporter, holding references and consuming kernel resources. The fix adds an explicit dma_buf_detach() call before the error return path.
The patch notes that a simple goto out_err cleanup label cannot be used because xe_dma_buf_init_obj() already frees the buffer object (bo) on failure. Using a shared cleanup label would result in a double-free of the GEM object.
Root Cause
The root cause is missing cleanup of an acquired resource along an error path. The function acquired the attachment via dma_buf_dynamic_attach() but failed to release it with the paired dma_buf_detach() call when object initialization downstream returned an error.
Attack Vector
This is a local kernel-side resource leak. Triggering the leak requires the ability to invoke the GEM PRIME import ioctl against the Xe driver and reach the failure condition in xe_dma_buf_init_obj(). The bug is reachable from local user space with access to the DRM render node. There is no indication of remote exploitation, code execution, or privilege escalation tied to this CVE.
The vulnerability is described by the upstream commits. See the references for technical details: Kernel Git Commit 0afa8b1, Kernel Git Commit 111ab67, Kernel Git Commit d394669, and Kernel Git Commit eea1e10.
Detection Methods for CVE-2026-46201
Indicators of Compromise
- Growing kernel memory usage attributable to dma-buf attachments without corresponding free operations.
- Repeated failures of PRIME import ioctls (DRM_IOCTL_PRIME_FD_TO_HANDLE) against the Xe driver from user-space graphics clients.
- Long-running workloads on Intel Xe hardware showing unexplained kmalloc growth in dma-buf-related slabs.
Detection Strategies
- Compare the running kernel version against the fixed commits listed in the kernel.org stable tree references.
- Audit kernel logs (dmesg) for repeated errors originating from xe_gem_prime_import or xe_dma_buf_init_obj.
- Use slabtop and /proc/slabinfo to track growth in dma-buf and DRM-related slab caches over time.
Monitoring Recommendations
- Monitor host memory trends on systems running Intel Xe GPUs and alert on sustained kernel slab growth.
- Track DRM render node access by non-graphics workloads, which can indicate abnormal use of GEM PRIME import paths.
- Inventory deployed kernel versions across the fleet and flag hosts running unpatched drm/xe builds.
How to Mitigate CVE-2026-46201
Immediate Actions Required
- Identify all hosts running Linux kernels that include the Intel Xe DRM driver and verify whether they include the fix.
- Apply the vendor-supplied kernel update from your Linux distribution as soon as it incorporates the upstream stable patches.
- Restrict access to /dev/dri/renderD* nodes to trusted user accounts and graphics processes to limit who can trigger the import path.
Patch Information
The fix adds an explicit dma_buf_detach() call before the error return in xe_gem_prime_import(). It was backported to stable kernel branches via commits 0afa8b1ef582ecf6fb04097fd356f8741e5005ed, 111ab678471bf1f90d078d5513bb086b70596c3c, d394669e194936d7ce15284a24a5ae334c4c5b74, and eea1e10f8d99c0f04deef707c99705b94bba3b78, cherry-picked from upstream commit a828eb185aac41800df8eae4b60501ccc0dbbe51. Consult your distribution's security tracker for the corresponding package version.
Workarounds
- If patching is not immediately possible, restrict access to the Xe DRM render node using filesystem permissions and udev rules.
- Reboot affected hosts periodically to reclaim leaked attachments until the patched kernel is deployed.
- On systems that do not require Intel Xe GPU acceleration, consider blacklisting the xe kernel module.
# Verify running kernel and module status
uname -r
lsmod | grep -E '^xe '
# Restrict DRM render node access to the 'render' group only
ls -l /dev/dri/renderD*
chgrp render /dev/dri/renderD*
chmod 0660 /dev/dri/renderD*
# Optionally blacklist the xe module if not required
echo 'blacklist xe' | sudo tee /etc/modprobe.d/blacklist-xe.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
