CVE-2026-23466
Published: 03 April 2026
Summary
CVE-2026-23466 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-24 (Fail in Known State).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to GGTT MMIO regions, directly addressing the inadequate protection during driver load failures and asynchronous teardown.
Ensures the system fails securely to a known state with GGTT MMIO access disabled when driver load fails or during devm release teardown.
Implements memory protections to safeguard GGTT mappings and MMIO access from unauthorized use amid asynchronous buffer object freeing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel driver flaw enabling unauthorized MMIO access from low-privileged context, directly facilitating privilege escalation to kernel level.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded. However,…
more
if driver load fails, this protection is insufficient because drm_dev_unplug() is never called. Additionally, devm release functions cannot guarantee that all BOs with GGTT mappings are destroyed before the GGTT MMIO region is removed, as some BOs may be freed asynchronously by worker threads. To address this, introduce an open-coded flag, protected by the GGTT lock, that guards GGTT MMIO access. The flag is cleared during the dev_fini_ggtt devm release function to ensure MMIO access is disabled once teardown begins. (cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)
Deeper analysisAI
CVE-2026-23466 is a vulnerability in the Linux kernel's drm/xe driver concerning inadequate protection of GGTT MMIO access. The protection currently relies on hotplug via drm_dev_enter, which functions correctly during successful driver load, unbind, or unload. However, it fails if driver load fails, as drm_dev_unplug() is never called. Additionally, devm release functions cannot ensure all buffer objects (BOs) with GGTT mappings are destroyed before the GGTT MMIO region is removed, due to asynchronous freeing by worker threads.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability on the affected system.
Mitigation involves applying patches from Linux kernel stable branches that introduce an open-coded flag, protected by the GGTT lock, to guard GGTT MMIO access. This flag is cleared during the dev_fini_ggtt devm release function to disable access once teardown begins. Relevant commits include 01f2557aa684e514005541e71a3d01f4cd45c170, 1e9e2640d870d4837bcfdc220cb2c99ae5ee119f, 76326dc06d8793c2c81c31cc0115dbc348de2f88, and e2b424aadecb640f9e037b2891191cf8fd4c64cf, cherry-picked from upstream commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431.
Details
- CWE(s)