CVE-2026-46309 Overview
CVE-2026-46309 affects the Linux kernel drm/xe graphics driver, used for Intel Xe-architecture GPUs. The vulnerability resides in the xe_vm_madvise_ioctl() user-space API, which previously accepted Page Attribute Table (PAT) indices with XE_COH_NONE coherency mode for CPU-cached memory. A GPU operating in coh_none mode bypasses CPU caches and reads directly from DRAM. When the kernel clears freed pages in CPU cache before reallocation, those writes remain dirty in cache while DRAM still holds prior data. An attacker with GPU access can read stale sensitive contents from previously freed pages belonging to other processes.
Critical Impact
Local processes with GPU access can leak residual memory contents from freed pages of other processes, including potentially sensitive kernel or user data.
Affected Products
- Linux kernel drm/xe driver (Intel Xe GPU stack)
- Integrated GPU (iGPU) configurations using the xe driver
- Distributions shipping affected upstream kernels prior to the fix commits
Discovery Timeline
- 2026-06-08 - CVE-2026-46309 published to the National Vulnerability Database (NVD)
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46309
Vulnerability Analysis
The Linux kernel xe Direct Rendering Manager (DRM) driver exposes the xe_vm_madvise_ioctl() interface to user space. This ioctl lets applications set memory advice, including the PAT index that governs caching and coherency for GPU mappings. Before the fix, the ioctl did not reject XE_COH_NONE coherency on buffer objects backed by CPU-cached memory.
When the kernel reclaims and clears a page, the zeroing write lands in the CPU cache. The DRAM page underneath may still contain the prior owner's data until cache lines are written back. A GPU mapping configured with coh_none bypasses CPU caches and fetches directly from DRAM. This race exposes stale data from previously freed pages, producing a cross-process information disclosure primitive.
The fix aligns xe_vm_madvise_ioctl() validation with the existing checks in the vm_bind path (xe_vm_bind_ioctl_validate_bo). The committed patch limits the restriction to integrated GPUs (iGPU), where system memory is shared with the CPU.
Root Cause
The root cause is missing input validation in the madvise ioctl path. Coherency mode and backing-store cache attributes must be consistent, but the ioctl accepted incompatible combinations. This is an Improper Input Validation issue leading to Information Disclosure via uninitialized or stale memory.
Attack Vector
A local unprivileged user with access to the xe DRM device node issues madvise ioctl calls that assign a coh_none PAT index to CPU-cached buffer objects. The user then triggers GPU reads against those mappings. The GPU bypasses CPU caches and returns stale DRAM contents from recently freed pages of other processes.
No verified public proof-of-concept code is available. See the upstream commits referenced below for the exact validation logic added to xe_vm_madvise_ioctl().
Detection Methods for CVE-2026-46309
Indicators of Compromise
- No file-based indicators are associated with this kernel vulnerability
- Unexpected XE_COH_NONE PAT index assignments via DRM_IOCTL_XE_VM_MADVISE on systems with iGPU
- Unprivileged processes repeatedly invoking madvise ioctls on /dev/dri/renderD* devices
Detection Strategies
- Audit kernel package versions against the fixed commits 4e5591c2, 87f9b152, and fea04cf6 from the upstream stable tree
- Monitor for processes opening DRM render nodes and issuing high volumes of vm_madvise ioctls
- Use kernel auditing (auditd) to log ioctl invocations on /dev/dri/renderD* for forensic review
Monitoring Recommendations
- Track installed kernel versions across the Linux fleet and flag hosts running unpatched drm/xe builds
- Watch dmesg for new debug messages emitted by the patched xe_vm_madvise_ioctl() rejection path
- Correlate GPU workload anomalies on Intel iGPU systems with process and user context
How to Mitigate CVE-2026-46309
Immediate Actions Required
- Upgrade to a Linux kernel build that includes the upstream fix commits 4e5591c2fc1b, 87f9b1528e1f, or fea04cf6f234
- Inventory systems using Intel Xe-architecture integrated GPUs and prioritize them for patching
- Restrict access to /dev/dri/renderD* device nodes to trusted users via group membership and udev rules
Patch Information
The fix is committed upstream and backported to stable trees. Reference the Kernel Git Commit 4e5591c, Kernel Git Commit 87f9b15, and Kernel Git Commit fea04cf for the validation added to xe_vm_madvise_ioctl(). Apply distribution kernel updates that include these commits.
Workarounds
- Limit GPU device node access to vetted accounts until the patched kernel is deployed
- Disable the xe driver module on systems that do not require it and rely on alternative GPU drivers where feasible
- Apply mandatory access controls (SELinux, AppArmor) to constrain processes able to issue DRM ioctls
# Verify running kernel and check for the fix commits in changelog
uname -r
rpm -q --changelog kernel | grep -E '4e5591c2|87f9b152|fea04cf6'
# Restrict access to DRM render nodes
chgrp render /dev/dri/renderD*
chmod 0660 /dev/dri/renderD*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
