CVE-2026-52976

Source
https://cve.org/CVERecord?id=CVE-2026-52976
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52976.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52976
Downstream
Published
2026-06-24T16:28:53.147Z
Modified
2026-07-08T08:13:44.821927952Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix error cleanup in xeexecqueuecreateioctl()

Two error handling issues exist in xeexecqueuecreateioctl():

  1. When xehwenginegroupaddexecqueue() fails, the error path jumps to putexecqueue which skips xeexecqueuekill(). If the VM is in preempt fence mode, xevmaddcomputeexecqueue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed.

  2. When xaalloc() fails after xehwenginegroupaddexecqueue() has succeeded, the error path does not call xehwenginegroupdelexec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free.

Fix both by: - Changing the xehwenginegroupaddexecqueue() failure path to jump to killexecqueue so that xeexecqueuekill() properly removes the queue from the VM's compute list. - Adding a delhwenginegroup label before killexecqueue for the xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup.

(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52976.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7970cb36966c9b9183255dc097ae0446300eebcf
Fixed
f93b00161213a0fe9f7ff1d8498ee5ca9e0a5c43
Fixed
753b149d5a433eb19e0c1b0eb4526a6e26120d1f
Fixed
1be55646d8a2035343b012dcb12210db7bb8b056
Fixed
f3cc22d4df3ed58439ea7e21daa54c3608e03b78

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52976.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52976.json"