CVE-2026-52950

Source
https://cve.org/CVERecord?id=CVE-2026-52950
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52950.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52950
Downstream
Published
2026-06-24T16:28:33.469Z
Modified
2026-07-08T08:13:43.234792150Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
drm/xe/dma-buf: fix UAF with retry loop
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/dma-buf: fix UAF with retry loop

Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe.

Reported by Sashiko.

v2: Fix up the error unwind (CI)

(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52950.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
eb289a5f6cc668853f9b2ea6aca04afe58ed11c7
Fixed
39fdac6be02eb7c3460518c1c4085f75f935c4ce
Fixed
827062952ed9bdf4220466c1f05ce452d04bdedf
Fixed
155a372a1cc50fa93387c5d3cdfd614a61e1afd1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52950.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.18.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52950.json"