CVE-2026-46224 Overview
CVE-2026-46224 is a memory leak vulnerability in the Linux kernel's drm/xe Direct Rendering Manager (DRM) driver for Intel Xe graphics. The flaw resides in the xe_dma_buf_init_obj() function, where a pre-allocated storage buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails. The caller xe_gem_prime_import() cannot determine whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), leading to ambiguous ownership and a leaked allocation on the error path. The issue has been resolved in upstream Linux kernel commits.
Critical Impact
Repeated triggering of the failure path can exhaust kernel memory through accumulated buffer object leaks, degrading system stability on hosts with Intel Xe graphics.
Affected Products
- Linux kernel versions containing the drm/xe driver prior to the fix
- Systems using Intel Xe graphics with DMA-BUF import paths
- Distributions shipping affected stable kernel branches
Discovery Timeline
- 2026-05-28 - CVE-2026-46224 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46224
Vulnerability Analysis
The vulnerability is a memory leak [CWE-401] in the Intel Xe DRM driver's DMA-BUF import flow. The xe_dma_buf_init_obj() function allocates a storage buffer object before calling drm_gpuvm_resv_object_alloc(). When that allocation call fails, the function returns an error without releasing the previously allocated storage bo.
The ambiguity is compounded by inconsistent ownership semantics. xe_bo_init_locked(), called later in the same function, frees the bo itself on error. As a result, the caller xe_gem_prime_import() cannot safely free the bo because it cannot tell which inner function failed. Each failed import path therefore leaks kernel memory.
The fix adds an explicit xe_bo_free(storage) call before returning the error and documents the ownership contract: on success, ownership transfers to the returned drm_gem_object; on failure, storage is released within the function.
Root Cause
The root cause is inconsistent error-path resource ownership in xe_dma_buf_init_obj(). The function partially relied on xe_bo_init_locked() to clean up allocated buffer objects on failure, but the earlier failure path through drm_gpuvm_resv_object_alloc() was missed, leaving the storage bo orphaned.
Attack Vector
Triggering the leak requires local interaction with the DRM subsystem through DMA-BUF import operations. An attacker or buggy userspace process that repeatedly invokes the affected import path under memory pressure or other failure conditions can incrementally exhaust kernel memory, leading to denial of service on the host.
No verified exploit code is publicly available. The vulnerability is described in the upstream kernel commit messages referenced in the Kernel Git Change Log.
Detection Methods for CVE-2026-46224
Indicators of Compromise
- Steadily increasing kernel slab usage attributable to drm/xe buffer object caches without corresponding userspace allocations
- Repeated failures returned from GEM prime import system calls on Intel Xe graphics hosts
- Out-of-memory events or oom-killer activity on systems running graphics-intensive workloads with affected kernels
Detection Strategies
- Compare running kernel versions against the fixed commits 8fa8c2a22585, 93a528f67ce5, and f9ad21b90162 in the stable trees
- Monitor /proc/slabinfo and /sys/kernel/debug/dri/ for abnormal growth in Xe buffer object allocations over time
- Use kernel tracing (ftrace, bpftrace) on xe_dma_buf_init_obj and drm_gpuvm_resv_object_alloc to observe error-path frequency
Monitoring Recommendations
- Track kernel memory consumption trends on hosts running Intel Xe graphics workloads, including virtualized GPU passthrough environments
- Alert on repeated DMA-BUF import errors logged via dmesg from the xe driver
- Maintain an inventory of Linux kernel versions across the fleet to identify hosts still running pre-patch builds
How to Mitigate CVE-2026-46224
Immediate Actions Required
- Update affected Linux kernels to a stable release containing the fix from the referenced kernel.org commits
- Reboot updated hosts to load the patched kernel
- For systems that cannot be patched immediately, limit local user access to DRM device nodes such as /dev/dri/renderD*
Patch Information
The fix has been merged upstream and backported to stable trees. The relevant commits are available in the Kernel Git Change Log for commit 8fa8c2a2, the Kernel Git Change Log for commit 93a528f6, and the Kernel Git Change Log for commit f9ad21b9. The patch adds xe_bo_free(storage) to the error path and documents ownership semantics.
Workarounds
- Restrict DRM device permissions so only trusted users can perform DMA-BUF import operations
- Disable the xe driver on hosts that do not require Intel Xe graphics by blacklisting the module
- Monitor and reboot long-running hosts where kernel memory growth from the leak becomes operationally significant
# Blacklist the xe driver on hosts that do not require Intel Xe graphics
echo "blacklist xe" | sudo tee /etc/modprobe.d/blacklist-xe.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
