CVE-2026-52950
HIGH 7.8In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: fix UAF with retry loop Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe. Reported by Sashiko. v2: Fix up the error unwind (CI) (cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)
Severe if exploited (CVSS 7.8), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.1%chance of exploitation in 30 days · 3rd percentile
Impact if exploited
7.8CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ⚠Access: Requires local access to the host
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Linux Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 9 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
Weakness (CWE)
- CWE-825
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
Technical & other
- https://git.kernel.org/stable/c/39fdac6be02eb7c3460518c1c4085f75f935c4ce
- https://git.kernel.org/stable/c/827062952ed9bdf4220466c1f05ce452d04bdedf
- https://git.kernel.org/stable/c/155a372a1cc50fa93387c5d3cdfd614a61e1afd1
- https://access.redhat.com/security/cve/CVE-2026-52950
- https://bugzilla.redhat.com/show_bug.cgi?id=2492318
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52950.json