CVE-2026-23466

/* * PoC Concept for CVE-2026-23466 * This demonstrates the race condition logic described in the vulnerability. * Triggering the actual crash requires a specific environment with drm/xe driver. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Simulating the condition where driver load fails or is unplugged // and async access occurs. void trigger_race_condition() { int fd; // Open the device (hypothetical path for drm/xe) fd = open("/dev/dri/card0", O_RDWR); if (fd < 0) { perror("Failed to open device"); return; } // In a real exploit, one would manipulate buffer objects (BOs) // to ensure they are freed asynchronously while the device is torn down. // This involves triggering a driver unload or load failure state. printf("Attempting to trigger MMIO access race condition...\n"); // The vulnerability allows MMIO access even after drm_dev_unplug protection // fails, specifically during the devm release phase. close(fd); } int main() { trigger_race_condition(); return 0; }

{"cve": {"id": "CVE-2026-23466", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:34.017", "lastModified": "2026-05-20T15:15:36.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Open-code GGTT MMIO access protection\n\nGGTT MMIO access is currently protected by hotplug (drm_dev_enter),\nwhich works correctly when the driver loads successfully and is later\nunbound or unloaded. However, if driver load fails, this protection is\ninsufficient because drm_dev_unplug() is never called.\n\nAdditionally, devm release functions cannot guarantee that all BOs with\nGGTT mappings are destroyed before the GGTT MMIO region is removed, as\nsome BOs may be freed asynchronously by worker threads.\n\nTo address this, introduce an open-coded flag, protected by the GGTT\nlock, that guards GGTT MMIO access. The flag is cleared during the\ndev_fini_ggtt devm release function to ensure MMIO access is disabled\nonce teardown begins.\n\n(cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.78", "matchCriteriaId": "CF16B1DB-0D79-4F76-8B3C-57C79AB99F70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.20", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/01f2557aa684e514005541e71a3d01f4cd45c170", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1e9e2640d870d4837bcfdc220cb2c99ae5ee119f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/76326dc06d8793c2c81c31cc0115dbc348de2f88", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e2b424aadecb640f9e037b2891191cf8fd4c64cf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}