{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31390", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.084Z", "datePublished": "2026-04-03T15:15:56.035Z", "dateUpdated": "2026-04-03T15:15:56.035Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:56.035Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix memory leak in xe_vm_madvise_ioctl\n\nWhen check_bo_args_are_sane() validation fails, jump to the new\nfree_vmas cleanup label to properly free the allocated resources.\nThis ensures proper cleanup in this error path.\n\n(cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_vm_madvise.c"], "versions": [{"version": "293032eec4baa04374d62dd44de61e355296ad32", "lessThan": "c3aa7b837920c844d5ae0dd3dbaeb465a461de40", "status": "affected", "versionType": "git"}, {"version": "293032eec4baa04374d62dd44de61e355296ad32", "lessThan": "1c87b48a0ff040723f84a67b32892af7e6a3634f", "status": "affected", "versionType": "git"}, {"version": "293032eec4baa04374d62dd44de61e355296ad32", "lessThan": "0cfe9c4838f1147713f6b5c02094cd4dc0c598fa", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_vm_madvise.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c3aa7b837920c844d5ae0dd3dbaeb465a461de40"}, {"url": "https://git.kernel.org/stable/c/1c87b48a0ff040723f84a67b32892af7e6a3634f"}, {"url": "https://git.kernel.org/stable/c/0cfe9c4838f1147713f6b5c02094cd4dc0c598fa"}], "title": "drm/xe: Fix memory leak in xe_vm_madvise_ioctl", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix memory leak in xe_vm_madvise_ioctl\n\nWhen check_bo_args_are_sane() validation fails, jump to the new\nfree_vmas cleanup label to properly free the allocated resources.\nThis ensures proper cleanup in this error path.\n\n(cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)"}], "id": "CVE-2026-31390", "lastModified": "2026-04-03T16:16:36.987", "metrics": {}, "published": "2026-04-03T16:16:36.987", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0cfe9c4838f1147713f6b5c02094cd4dc0c598fa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1c87b48a0ff040723f84a67b32892af7e6a3634f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c3aa7b837920c844d5ae0dd3dbaeb465a461de40"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: drm/xe: Fix memory leak in xe_vm_madvise_ioctl", "id": "2454824", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454824"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-459", "details": ["A flaw was found in the Linux kernel's drm/xe component. A local user could exploit this vulnerability when validation fails during the `xe_vm_madvise_ioctl` operation, leading to improper cleanup of allocated resources. This can result in a memory leak, potentially causing system instability or a denial of service (DoS) over time."], "name": "CVE-2026-31390", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31390\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31390\nhttps://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31390-f363@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[293032eec4baa04374d62dd44de61e355296ad32,c3aa7b837920c844d5ae0dd3dbaeb465a461de40)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[293032eec4baa04374d62dd44de61e355296ad32,1c87b48a0ff040723f84a67b32892af7e6a3634f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[293032eec4baa04374d62dd44de61e355296ad32,0cfe9c4838f1147713f6b5c02094cd4dc0c598fa)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T19:06:43.075875+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that contains the commit 29bd06faf guaranteeing proper cleanup of virtual memory areas in xe_vm_madvise_ioctl", "Verify that the running kernel includes the patch by checking the kernel version and confirming the presence of the commit in the git log", "If a kernel update is not immediately possible, monitor system memory usage for unexpected growth patterns that could indicate an unresolved leak and consider restarting affected services or the host to reclaim memory", "Restrict access to the graphics device to trusted processes to reduce the risk of unintended ioctl invocations"], "summary": {"action": "Apply patch", "impact": "Memory leak that can cause denial of service"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel version that contains the DRM Xe driver before the patch identified by commit 29bd06faf indeed contains the bug. This includes all kernel releases that have not incorporated the commit that enforces proper cleanup. Users of older kernels or custom builds that did not apply the fix remain vulnerable.", "description_and_impact": "The Linux kernel\u2019s DRM Xe driver had a flaw in the xe_vm_madvise_ioctl system call. When the validation routine check_bo_args_are_sane() fails, the code previously skipped a cleanup path and left virtual memory areas allocated. Each faulty ioctl call therefore leaks kernel memory. Over time this accumulation can exhaust available memory and degrade overall system performance, potentially leading to a denial\u2011of\u2011service for all processes sharing the kernel\u2019s memory pool.", "risk_and_exploitability": "The CVSS score is not supplied, and the EPSS score is unavailable; the vulnerability is also not listed in the CISA KEV catalog. Because the error path is triggered after a failed validation of the ioctl arguments, exploitation would typically involve invoking xe_vm_madvise_ioctl with parameters that trigger the failure. Based on the description, it is inferred that an attacker would need local execution privileges sufficient to send the ioctl to the graphics device. No published exploits exist as of the provided data, so while the risk of exploitation is real for systems that can repeatedly trigger the failure, the likelihood of widespread or automated attacks appears limited. Nonetheless, the persistent memory consumption remains a realistic threat to system availability."}}}}, "created": "2026-04-03T21:13:21.997908+00:00", "updated": "2026-04-03T21:15:37.055949+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-399"]}