CVE-2026-46264 Overview
CVE-2026-46264 is a kernel vulnerability in the Linux drm/xe graphics driver affecting the SR-IOV Physical Function (PF) sysfs initialization path. The flaw originates in xe_sriov_pf_sysfs_init(), where devm_add_action_or_reset() registers a cleanup action against a kobject that has not yet been initialized. When registration fails, the cleanup runs immediately, triggering kobject_put() on an uninitialized object. The result is a refcount underflow and a use-after-free condition in kernel memory. The issue also produces undetected leaks because the cleanup action was registered against the wrong parent kobject inside the loop.
Critical Impact
A failed device probe path in the Intel Xe SR-IOV driver leads to kobject use-after-free and refcount underflow inside the kernel, producing warnings and potential memory corruption during PCI device initialization.
Affected Products
- Linux kernel versions containing the drm/xe driver with SR-IOV PF support prior to commits 6ae479b1919e and bf7172cd25ed
- Systems using Intel Xe graphics hardware with SR-IOV Physical Function enabled
- Distributions shipping affected mainline and stable kernel branches
Discovery Timeline
- 2026-06-03 - CVE-2026-46264 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46264
Vulnerability Analysis
The defect resides in xe_sriov_pf_sysfs_init() within the Intel Xe Direct Rendering Manager (DRM) driver. The function calls devm_add_action_or_reset() to register a cleanup callback responsible for releasing a kobject. The kernel API contract for devm_add_action_or_reset() specifies that if action registration fails, the cleanup runs immediately to prevent resource leaks. In the affected code, the kobject passed to that cleanup has not yet been initialized through kobject_init(). Running kobject_put() on an uninitialized object triggers the kernel warning kobject: '(null)' ... is not initialized, yet kobject_put() is being called, followed by a refcount_t: underflow; use-after-free warning from refcount_warn_saturate().
Root Cause
The root cause is improper ordering of resource initialization and cleanup registration [CWE-416]. The cleanup handler was attached before kobject_init() and kobject_add() were invoked. A secondary defect compounds the issue: inside a loop, the cleanup action was registered against the parent kobject instead of the child kobject being created, leaving child objects without a proper release path and producing silent leaks.
Attack Vector
The condition is reached during PCI probe of an Intel Xe device with SR-IOV Physical Function support. Triggering the use-after-free requires that devm_add_action_or_reset() fail during xe_sriov_pf_init_late(), which in practice depends on kernel memory pressure or allocation failure during probe. The vector is local and tied to device initialization rather than remote input, so it is primarily a stability and kernel-integrity concern rather than a remote attack surface.
The fix splits the kobject lifecycle into explicit kobject_init() followed by kobject_add(), registers the cleanup action only after the kobject is initialized, and moves cleanup registration into the create helper so that each child kobject receives its own correctly scoped release handler. The corrected sequence is documented in the upstream commits 6ae479b1919e and bf7172cd25ed.
Detection Methods for CVE-2026-46264
Indicators of Compromise
- Kernel log entries containing kobject: '(null)' ... is not initialized, yet kobject_put() is being called originating from the xe module
- WARNING at lib/kobject.c:734 in kobject_put+0xd9/0x250 with a call trace through xe_sriov_pf_sysfs_init
- refcount_t: underflow; use-after-free warnings from refcount_warn_saturate correlated with xe_sriov_pf_init_late and xe_pci_probe
Detection Strategies
- Monitor dmesg and journalctl -k for the warning signatures above during boot and PCI hotplug events on hosts with Intel Xe SR-IOV hardware
- Track kernel version inventory and flag hosts running drm/xe builds that do not include the upstream fix commits 6ae479b1919e or bf7172cd25ed
- Correlate probe failures of the xe driver with subsequent kernel taints or unexpected reboots
Monitoring Recommendations
- Forward kernel ring buffer logs to a centralized logging or SIEM platform and alert on refcount_warn_saturate and kobject_put warnings
- Watch for repeated xe_pci_probe failures on virtualization hosts using Intel SR-IOV graphics
- Include kernel package versions in configuration baselines and detect drift from patched releases
How to Mitigate CVE-2026-46264
Immediate Actions Required
- Inventory hosts running the drm/xe driver with SR-IOV PF enabled and identify kernels lacking the upstream fix
- Apply the upstream patches 6ae479b1919e and bf7172cd25ed or upgrade to a distribution kernel that incorporates them
- Reboot affected systems after kernel upgrade to ensure the patched xe module is loaded
Patch Information
The upstream fix calls kobject_init() and kobject_add() separately and registers the devm cleanup action only after the kobject is initialized. The cleanup registration is moved into the create helper so that each child kobject is bound to its own release callback. Patches are available at the Kernel Git Commit 6ae479b1919e and Kernel Git Commit bf7172cd25ed.
Workarounds
- Disable SR-IOV on Intel Xe devices until the patched kernel is deployed by ensuring sriov_numvfs is not set on affected PCI devices
- Blacklist the xe module on systems that do not require Intel Xe graphics, using /etc/modprobe.d/ configuration
- Avoid dynamic loading and unloading of the xe driver on production hosts running unpatched kernels
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
