CVE-2026-43280

EUVD-2026-27676
In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise

When user provides a bogus pat_index value through the madvise IOCTL, the
xe_pat_index_get_coh_mode() function performs an array access without
validating bounds. This allows a malicious user to trigger an out-of-bounds
kernel read from the xe->pat.table array.

The vulnerability exists because the validation in madvise_args_are_sane()
directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without
first checking if pat_index is within [0, xe->pat.n_entries).

Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug
builds, it still performs the unsafe array access in production kernels.

v2(Matthew Auld)
- Using array_index_nospec() to mitigate spectre attacks when the value
is used

v3(Matthew Auld)
- Put the declarations at the start of the block

(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.18 ≤
𝑥
< 6.18.16
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.170-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-4
fixed
forky
6.19.14-1
fixed
sid
7.0.4-1
fixed
trixie
6.12.73-1
fixed
trixie (security)
6.12.86-1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4
https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7
https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd