CVE-2026-46264: drm/xe/pf: Fix sysfs initialization
In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix sysfs initialization In case of devm_add_action_or_reset() failure the provided cleanup action will be run immediately on the not yet initialized kobject. This may lead to errors like: [ ] kobject: '(null)' (ff110001393608e0): is not initialized, yet kobject_put() is being called. [ ] WARNING: lib/kobject.c:734 at kobject_put+0xd9/0x250, CPU#0: kworker/0:0/9 [ ] RIP: 0010:kobject_put+0xdf/0x250 [ ] Call Trace: [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0 [ ] refcount_t: underflow; use-after-free. [ ] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x68/0xb0, CPU#0: kworker/0:0/9 [ ] RIP: 0010:refcount_warn_saturate+0x68/0xb0 [ ] Call Trace: [ ] kobject_put+0x174/0x250 [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0 Fix that by calling kobject_init() and kobject_add() separately and register cleanup action after the kobject is initialized. Also make this cleanup registration a part of the create helper to fix another mistake, as in the loop we were wrongly passing parent kobject while registering cleanup action, and this resulted in some undetected leaks. (cherry picked from commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Linux kernel's DRM/Xe GPU driver, specifically in the SR-IOV Physical Function (PF) sysfs initialization path. The flaw is reachable locally by a low-privilege user or process on the host and arises when a cleanup action is triggered against a kobject that was never fully initialized, leading to a refcount underflow and use-after-free condition. Successful exploitation allows an attacker to read kernel memory, modify kernel data structures, or crash the system entirely. Patched-image rebuilds at Linux versions 6.19.4 and 7.0 (commits 6ae479b1919ee9bd0560fc7af649932dd420d010 and bf7172cd25ed182f30af2cbb9f80c730dc717d8e) are available on HarborGuard for environments running affected kernel versions.
HarborGuard Coverage
Detection of CVE-2026-46264 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that package an affected Linux kernel version.
AvailableHarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on their configured notification rules.
AvailableA patched-image rebuild targeting Linux 6.19.4 or 7.0 becomes available through HarborGuard once the fix version is confirmed present in the upstream package feed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to trigger the vulnerable sysfs initialization path; no administrative credentials are needed.
- Victim interactionNot required
No user interaction is required; the attacker can trigger the condition independently.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Reads kernel memory, exposing secrets such as session tokens, cryptographic keys, or other process data resident in kernel address space.
- Modifies kernel data structures, enabling privilege escalation or corruption of security-sensitive kernel state.
- Crashes the affected kernel instance, taking down all workloads running on the host.
- The scope change (S:C) means impact can extend beyond the immediate process or container boundary to affect the underlying host kernel shared by co-located workloads.
How HarborGuard Handles This
Available on HarborGuard: detection runs automatically against every image in connected registries and pipelines the moment the CVE record is ingested, with no manual configuration required. Because fix versions exist (Linux 6.19.4 and 7.0), a patched-image rebuild becomes available in HarborGuard as soon as the upstream package carrying the corrected kernel is published. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the patched version, executes regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with CVSS 8.8 context and routing to the appropriate team, and compensating controls such as restricting local shell access to the host, applying Linux Security Module policies (SELinux or AppArmor) to confine the xe driver's sysfs paths, and isolating SR-IOV PF workloads via network policy can reduce exposure until the patched image is deployed.
Fix available
- Linux / Linux< 6ae479b1919ee9bd0560fc7af649932dd420d010 (from 5c170a4d9c530e872f2f788d95258fbaa39b4415) · < bf7172cd25ed182f30af2cbb9f80c730dc717d8e (from 5c170a4d9c530e872f2f788d95258fbaa39b4415)
- Linux / Linux6.19Fixed in 0, 6.19.4, 7.0
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H