How is CVE-2026-46201 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to trigger the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient to reach the vulnerable xe_gem_prime_import() code path; administrator rights are not needed. Victim interaction (not-required): No victim interaction is required; the attacker can trigger the vulnerability independently without social engineering. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

What is the impact of CVE-2026-46201?

A successful attacker can read kernel memory regions, including sensitive data such as credentials or cryptographic material held by the DRM subsystem. The attacker can write to kernel memory, enabling modification of driver state or persistent data structures. The resource leak can be triggered repeatedly to exhaust kernel DMA-buf attachment resources, crashing the affected graphics driver or the wider kernel. All three impact dimensions (confidentiality, integrity, availability) are rated HIGH, meaning full compromise of the affected kernel subsystem is achievable.

Back to search

HIGHCVE-2026-46201Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46201: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it. (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A resource-leak vulnerability in the Linux kernel's DRM/Xe graphics driver allows a local attacker with low-privilege access to exploit a missing DMA-buf attachment cleanup in xe_gem_prime_import(). The flaw is reachable locally and requires only a standard user account, with no network exposure or user interaction needed. Successful exploitation gives the attacker read, write, and denial-of-service capabilities over the affected system. Patched-image rebuilds at fix versions 6.12.90 and 6.18.32 are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46201 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of upstream publication, including custom-built images that bundle affected kernel versions. Coverage extends to container images derived from distributions shipping Linux kernels in the affected range.

Available

Triage

HarborGuard triage is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each customer organization's compliance policy to determine urgency. Routing to the appropriate team inbox within each environment is available automatically based on policy configuration.

Available

Patch

A patched-image rebuild against fix versions 6.12.90 and 6.18.32 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test suite, and open a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to trigger the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient to reach the vulnerable xe_gem_prime_import() code path; administrator rights are not needed.
Victim interactionNot required
No victim interaction is required; the attacker can trigger the vulnerability independently without social engineering.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

A successful attacker can read kernel memory regions, including sensitive data such as credentials or cryptographic material held by the DRM subsystem.
The attacker can write to kernel memory, enabling modification of driver state or persistent data structures.
The resource leak can be triggered repeatedly to exhaust kernel DMA-buf attachment resources, crashing the affected graphics driver or the wider kernel.
All three impact dimensions (confidentiality, integrity, availability) are rated HIGH, meaning full compromise of the affected kernel subsystem is achievable.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46201 is active across all connected registries and CI pipelines, matching any image that bundles an affected Linux kernel version (including custom-built images) within minutes of scan ingestion. For environments where an affected version is found, a patched-image rebuild at kernel versions 6.12.90 or 6.18.32 is available. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image, execute regression tests, and open a pull request against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. For environments that cannot yet apply the fix, compensating controls such as restricting access to DRM device nodes via Linux DAC or MAC policies (SELinux, AppArmor) and limiting container capabilities to reduce exposure of the DRM/Xe code path are worth evaluating while a full kernel upgrade is planned.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

00afa8b1ef582ecf6fb04097fd356f8741e5005ed111ab678471bf1f90d078d5513bb086b70596c3c6.12.906.18.327.0.97.1-rc2d394669e194936d7ce15284a24a5ae334c4c5b74eea1e10f8d99c0f04deef707c99705b94bba3b78

Affected packages

Linux / Linux
< d394669e194936d7ce15284a24a5ae334c4c5b74 (from dd08ebf6c3525a7ea2186e636df064ea47281987) · < 0afa8b1ef582ecf6fb04097fd356f8741e5005ed (from dd08ebf6c3525a7ea2186e636df064ea47281987) · < eea1e10f8d99c0f04deef707c99705b94bba3b78 (from dd08ebf6c3525a7ea2186e636df064ea47281987) · < 111ab678471bf1f90d078d5513bb086b70596c3c (from dd08ebf6c3525a7ea2186e636df064ea47281987)
Linux / Linux
6.8
Fixed in 0, 6.12.90, 6.18.32, 7.0.9, 7.1-rc2

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available