Cyber Resilience

CVE-2026-23466

HighUpdated

Published: 03 April 2026

Published
03 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23466 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-24 (Fail in Known State).

Deeper analysis

CVE-2026-23466 is a vulnerability in the Linux kernel's drm/xe driver concerning inadequate protection of GGTT MMIO access. The protection currently relies on hotplug via drm_dev_enter, which functions correctly during successful driver load, unbind, or unload. However, it fails if driver load fails, as drm_dev_unplug() is never called. Additionally, devm release functions cannot ensure all buffer objects (BOs) with GGTT mappings are destroyed before the GGTT MMIO region is removed, due to asynchronous freeing by worker threads.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability on the affected system.

Mitigation involves applying patches from Linux kernel stable branches that introduce an open-coded flag, protected by the GGTT lock, to guard GGTT MMIO access. This flag is cleared during the dev_fini_ggtt devm release function to disable access once teardown begins. Relevant commits include 01f2557aa684e514005541e71a3d01f4cd45c170, 1e9e2640d870d4837bcfdc220cb2c99ae5ee119f, 76326dc06d8793c2c81c31cc0115dbc348de2f88, and e2b424aadecb640f9e037b2891191cf8fd4c64cf, cherry-picked from upstream commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded. However,…

more

if driver load fails, this protection is insufficient because drm_dev_unplug() is never called. Additionally, devm release functions cannot guarantee that all BOs with GGTT mappings are destroyed before the GGTT MMIO region is removed, as some BOs may be freed asynchronously by worker threads. To address this, introduce an open-coded flag, protected by the GGTT lock, that guards GGTT MMIO access. The flag is cleared during the dev_fini_ggtt devm release function to ensure MMIO access is disabled once teardown begins. (cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel driver flaw enabling unauthorized MMIO access from low-privileged context, directly facilitating privilege escalation to kernel level.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.12 — 6.12.78 · 6.13 — 6.18.20 · 6.19 — 6.19.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to GGTT MMIO regions, directly addressing the inadequate protection during driver load failures and asynchronous teardown.

prevent

Ensures the system fails securely to a known state with GGTT MMIO access disabled when driver load fails or during devm release teardown.

prevent

Implements memory protections to safeguard GGTT mappings and MMIO access from unauthorized use amid asynchronous buffer object freeing.

References