CVE-2026-46216 Overview
CVE-2026-46216 is a NULL pointer dereference vulnerability in the Linux kernel's drm/xe/hdcp subsystem. The flaw resides in the intel_hdcp_gsc_check_status() function, which fails to validate the media_gt pointer before dereferencing it. When the media GT is disabled through configfs, media_gt remains NULL, and accessing >->uc.gsc triggers a kernel pagefault.
The issue affects systems using the Intel Xe Direct Rendering Manager (DRM) driver with High-bandwidth Digital Content Protection (HDCP) functionality. Triggering the bug causes a kernel-level fault that disrupts graphics and protected content workflows on affected configurations.
Critical Impact
Local conditions that disable media GT via configfs cause a kernel pagefault when HDCP status checks execute, leading to system instability.
Affected Products
- Linux kernel — drm/xe/hdcp driver subsystem
- Systems with Intel Xe DRM driver and media GT disabled via configfs
- Stable kernel branches receiving the cherry-picked fix from upstream commit bfaf87e84ca3
Discovery Timeline
- 2026-05-28 - CVE-2026-46216 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46216
Vulnerability Analysis
The vulnerability is a NULL pointer dereference [CWE-476] in the Intel Xe HDCP support code. The function intel_hdcp_gsc_check_status() accesses fields on the media_gt structure without first verifying that the pointer is non-NULL. On platforms where the media Graphics Tile (GT) is disabled through configfs, the kernel does not allocate media_gt, leaving it as NULL.
When the HDCP status check runs in this state, the expression >->uc.gsc computes an offset from a NULL base. Dereferencing the resulting address produces a kernel pagefault. The fault occurs in kernel context, terminating the affected task and potentially destabilizing the graphics stack.
The upstream fix introduces an explicit NULL check on media_gt and returns early when the pointer is unset. The patch also removes a redundant NULL check on gsc, which cannot be NULL when media_gt is valid.
Root Cause
The root cause is missing input validation on the media_gt pointer inside intel_hdcp_gsc_check_status(). The function assumes media GT is always allocated, an assumption that breaks when administrators disable media GT through configfs. No defensive check existed to handle the legitimate disabled state.
Attack Vector
The vulnerability requires a system configuration where the media GT is disabled via configfs on hardware that exercises the Xe HDCP path. Code paths that invoke intel_hdcp_gsc_check_status() trigger the fault. The condition is local and tied to platform configuration rather than remote input.
No verified exploit code is available. The vendor advisory describes the issue and the upstream remediation. See the kernel git commit reference for the patch details.
Detection Methods for CVE-2026-46216
Indicators of Compromise
- Kernel pagefault entries in dmesg or journalctl -k referencing intel_hdcp_gsc_check_status in the call trace.
- Oops or BUG messages pointing to the drm/xe/hdcp module on systems where media GT is disabled.
- HDCP session failures or graphics subsystem hangs on Intel Xe platforms following configfs changes.
Detection Strategies
- Inventory Linux hosts running the Intel Xe DRM driver and identify those with media GT disabled through configfs.
- Correlate kernel crash dumps with the intel_hdcp_gsc_check_status() symbol to identify exposed systems.
- Verify installed kernel versions against the fixed commits referenced in the upstream stable tree.
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on Oops or pagefault events involving the xe or i915 HDCP code paths.
- Track kernel package versions across the fleet and flag hosts running unpatched stable branches.
- Monitor configfs changes that toggle media GT state on production systems.
How to Mitigate CVE-2026-46216
Immediate Actions Required
- Apply the upstream patch from the stable kernel tree to all affected systems running the Intel Xe DRM driver.
- Identify hosts that disable media GT via configfs and prioritize them for kernel updates.
- Restrict administrative access to configfs to reduce exposure on unpatched systems.
Patch Information
The fix is available in the Linux stable tree through commits 60a1e131a811b68703da58fd805ab359b704ab03 and d8ab4b47edf4578dbfbe5e95817107a514fa34cc, cherry-picked from upstream commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1. Refer to the Kernel Git Commit Reference and the secondary commit reference for details. Apply distribution-provided kernel updates that incorporate these commits.
Workarounds
- Avoid disabling media GT through configfs on systems running an unpatched Intel Xe kernel driver.
- Limit configfs write access to trusted administrators where the patch cannot be applied immediately.
- Where HDCP is not required, disable HDCP-related workloads until the kernel is updated.
# Verify the running kernel against the fixed stable commits
uname -r
# Check for the symbol in the running kernel image
grep intel_hdcp_gsc_check_status /proc/kallsyms
# Inspect kernel logs for related pagefaults
journalctl -k | grep -i 'intel_hdcp_gsc_check_status\|xe.*hdcp'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
