{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43280","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.998Z","datePublished":"2026-05-06T11:29:01.562Z","dateUpdated":"2026-05-11T22:21:30.323Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:21:30.323Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise\n\nWhen user provides a bogus pat_index value through the madvise IOCTL, the\nxe_pat_index_get_coh_mode() function performs an array access without\nvalidating bounds. This allows a malicious user to trigger an out-of-bounds\nkernel read from the xe->pat.table array.\n\nThe vulnerability exists because the validation in madvise_args_are_sane()\ndirectly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without\nfirst checking if pat_index is within [0, xe->pat.n_entries).\n\nAlthough xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug\nbuilds, it still performs the unsafe array access in production kernels.\n\nv2(Matthew Auld)\n- Using array_index_nospec() to mitigate spectre attacks when the value\nis used\n\nv3(Matthew Auld)\n- Put the declarations at the start of the block\n\n(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/xe/xe_vm_madvise.c"],"versions":[{"version":"ada7486c5668db542a7d361268df931aca5b726a","lessThan":"ffba51100ff61792fefbae11ca38ac1987a818dd","status":"affected","versionType":"git"},{"version":"ada7486c5668db542a7d361268df931aca5b726a","lessThan":"79f52655567a6471ff3d0d6325ede91bb14461f4","status":"affected","versionType":"git"},{"version":"ada7486c5668db542a7d361268df931aca5b726a","lessThan":"fbbe32618e97eff81577a01eb7d9adcd64a216d7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/xe/xe_vm_madvise.c"],"versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd"},{"url":"https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4"},{"url":"https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7"}],"title":"drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise","x_generator":{"engine":"bippy-1.2.0"}}}}