CVE-2026-46236 Overview
CVE-2026-46236 affects the Linux kernel media: rc: xbox_remote driver. The driver places an I/O buffer inside the device structure, which violates Direct Memory Access (DMA) coherency rules. Embedding DMA buffers within larger allocations can cause cache line sharing between the buffer and adjacent struct members. This sharing leads to data corruption on architectures with non-coherent DMA. The kernel maintainers resolved the issue by separating the DMA buffer from the device structure across multiple stable branches.
Critical Impact
Improper DMA buffer placement in the xbox_remote driver can corrupt kernel memory adjacent to the buffer, leading to undefined driver behavior or potential kernel instability on systems with non-coherent DMA.
Affected Products
- Linux kernel media: rc: xbox_remote driver
- Multiple stable kernel branches receiving backported fixes
- Systems using Xbox remote receivers with non-coherent DMA architectures
Discovery Timeline
- 2026-05-28 - CVE-2026-46236 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46236
Vulnerability Analysis
The vulnerability resides in the xbox_remote infrared remote control driver under drivers/media/rc/. The driver allocated its USB I/O buffer as a field within the larger device structure. The DMA API requires that buffers used for streaming DMA reside in their own allocation, separated from other data by at least a cache line. When a DMA buffer shares a cache line with other struct members, cache invalidation operations triggered by the device can discard CPU writes to those neighboring members. Likewise, CPU writes to neighboring members can be overwritten when the DMA hardware completes a transfer. This produces silent memory corruption that is difficult to diagnose.
Root Cause
The root cause is a violation of Linux DMA coherency rules in the xbox_remote driver. Placing the DMA buffer inside the device structure makes the buffer share cache lines with adjacent fields. On architectures without hardware cache coherency for DMA, this layout produces inconsistent views of memory between the CPU and the USB controller.
Attack Vector
No remote attack vector is documented for this issue. The fault triggers during normal driver operation when an Xbox remote receiver performs USB transfers. Impact is limited to systems with the affected driver loaded and non-coherent DMA hardware. The fix is tracked across kernel commits 0bd8ac88, 0cc92518, 48a668c2, 63a960b3, and e280d1e5. See the Kernel Git Commit 0bd8ac88 for the upstream change.
No verified exploitation code is available. The fix allocates the DMA buffer with kmalloc separately from the device structure so it occupies its own cache lines.
Detection Methods for CVE-2026-46236
Indicators of Compromise
- Unexplained kernel log entries referencing the xbox_remote driver or USB transfer errors on systems with Xbox remote receivers.
- Sporadic data corruption in driver state or input event reporting from the rc subsystem.
- Kernel warnings from DMA debugging facilities (CONFIG_DMA_API_DEBUG) flagging the xbox_remote driver.
Detection Strategies
- Audit running kernel versions across the fleet and compare against the patched stable branches referenced in the upstream commits.
- Enable CONFIG_DMA_API_DEBUG in lab environments to identify drivers performing DMA on buffers that share allocations with other structures.
- Review module load events for xbox_remote on systems that do not require Xbox remote functionality.
Monitoring Recommendations
- Collect kernel ring buffer logs centrally and alert on xbox_remote or usbcore error patterns.
- Track package and kernel update status on Linux endpoints through configuration management telemetry.
- Monitor for module insertion events on hardened systems where xbox_remote should not be loaded.
How to Mitigate CVE-2026-46236
Immediate Actions Required
- Apply the kernel update from your Linux distribution that includes one of the upstream fix commits listed in the references.
- On systems that do not use Xbox remote receivers, blacklist the xbox_remote module to remove exposure entirely.
- Reboot affected hosts after patching so the corrected driver code is loaded.
Patch Information
Fixes were merged across multiple stable kernel branches. Reference commits include Kernel Git Commit 0bd8ac88, Kernel Git Commit 0cc92518, Kernel Git Commit 48a668c2, Kernel Git Commit 63a960b3, and Kernel Git Commit e280d1e5. Use the kernel package provided by your distribution that includes the corresponding backport.
Workarounds
- Disable autoloading of the xbox_remote module on hosts that do not need it by adding a modprobe blacklist entry.
- Unplug Xbox remote USB receivers from production hosts until the kernel is patched.
- Restrict physical access to USB ports on systems where the driver cannot be removed.
# Blacklist the xbox_remote module until the kernel is patched
echo "blacklist xbox_remote" | sudo tee /etc/modprobe.d/blacklist-xbox_remote.conf
sudo depmod -a
sudo update-initramfs -u
# Verify the module is not loaded
lsmod | grep xbox_remote
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
