Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: fix UAF with retry loop Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe. Reported by Sashiko. v2: Fix up the error unwind (CI) (cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)
References (6)
Core 6
Core References
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-52950
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2492318
Scores
CVSS v3
7.8
EPSS
0.0013
EPSS Percentile
3.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-825
Status
published
Products (10)
linux/Kernel
6.18.0 - 6.18.33linux
linux/Kernel
6.19.0 - 7.0.10linux
Linux/Linux
< 6.18
Linux/Linux
6.18
Linux/Linux
6.18.33 - 6.18.*
Linux/Linux
7.0.10 - 7.0.*
Linux/Linux
7.1
Linux/Linux
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 - 155a372a1cc50fa93387c5d3cdfd614a61e1afd1
Linux/Linux
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 - 39fdac6be02eb7c3460518c1c4085f75f935c4ce
Linux/Linux
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7 - 827062952ed9bdf4220466c1f05ce452d04bdedf
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026