In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix error cleanup in xeexecqueuecreateioctl()
Two error handling issues exist in xeexecqueuecreateioctl():
When xehwenginegroupaddexecqueue() fails, the error path jumps to putexecqueue which skips xeexecqueuekill(). If the VM is in preempt fence mode, xevmaddcomputeexecqueue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed.
When xaalloc() fails after xehwenginegroupaddexecqueue() has succeeded, the error path does not call xehwenginegroupdelexec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free.
Fix both by: - Changing the xehwenginegroupaddexecqueue() failure path to jump to killexecqueue so that xeexecqueuekill() properly removes the queue from the VM's compute list. - Adding a delhwenginegroup label before killexecqueue for the xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup.
(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52976.json",
"cna_assigner": "Linux"
}