CVE-2026-43280
Published: May 6, 2026
Modified: May 11, 2026
CVSS v3.1
7.1
Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected ada7486c5668db542a7d361268df931aca5b726a - < ffba51100ff61792fefbae11ca38ac1987a818ddaffected ada7486c5668db542a7d361268df931aca5b726a - < 79f52655567a6471ff3d0d6325ede91bb14461f4affected ada7486c5668db542a7d361268df931aca5b726a - < fbbe32618e97eff81577a01eb7d9adcd64a216d7 |
Linux | Linux | affected 6.18unaffected 0 - < 6.18unaffected 6.18.16 - <= 6.18.*unaffected 6.19.6 - <= 6.19.*unaffected 7.0 - <= * |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now