CVE-2026-31390 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix memory leak in xe_vm_madvise_ioctl When check_bo_args_are_sane() validation fails, jump to the new free_vmas cleanup label to properly free the allocated resources. This ensures proper cleanup in this error path. (cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux	Linux Kernel

References

Link	Providers
https://git.kernel.org/stable/c/0cfe9c4838f1147713f6b5c02094cd4dc0c598fa
https://git.kernel.org/stable/c/1c87b48a0ff040723f84a67b32892af7e6a3634f
https://git.kernel.org/stable/c/c3aa7b837920c844d5ae0dd3dbaeb465a461de40

History

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix memory leak in xe_vm_madvise_ioctl When check_bo_args_are_sane() validation fails, jump to the new free_vmas cleanup label to properly free the allocated resources. This ensures proper cleanup in this error path. (cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)
Title		drm/xe: Fix memory leak in xe_vm_madvise_ioctl
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0cfe9c4838f1147713f6b5c02094cd4dc0c598fa https://git.kernel.org/stable/c/1c87b48a0ff040723f84a67b32892af7e6a3634f https://git.kernel.org/stable/c/c3aa7b837920c844d5ae0dd3dbaeb465a461de40

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:56.035Z

Updated: 2026-04-03T15:15:56.035Z

Reserved: 2026-03-09T15:48:24.084Z

Link: CVE-2026-31390

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:36.987

Modified: 2026-04-03T16:16:36.987

Link: CVE-2026-31390

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T21:15:37Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31390", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.084Z", "datePublished": "2026-04-03T15:15:56.035Z", "dateUpdated": "2026-04-03T15:15:56.035Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:56.035Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix memory leak in xe_vm_madvise_ioctl\n\nWhen check_bo_args_are_sane() validation fails, jump to the new\nfree_vmas cleanup label to properly free the allocated resources.\nThis ensures proper cleanup in this error path.\n\n(cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_vm_madvise.c"], "versions": [{"version": "293032eec4baa04374d62dd44de61e355296ad32", "lessThan": "c3aa7b837920c844d5ae0dd3dbaeb465a461de40", "status": "affected", "versionType": "git"}, {"version": "293032eec4baa04374d62dd44de61e355296ad32", "lessThan": "1c87b48a0ff040723f84a67b32892af7e6a3634f", "status": "affected", "versionType": "git"}, {"version": "293032eec4baa04374d62dd44de61e355296ad32", "lessThan": "0cfe9c4838f1147713f6b5c02094cd4dc0c598fa", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_vm_madvise.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c3aa7b837920c844d5ae0dd3dbaeb465a461de40"}, {"url": "https://git.kernel.org/stable/c/1c87b48a0ff040723f84a67b32892af7e6a3634f"}, {"url": "https://git.kernel.org/stable/c/0cfe9c4838f1147713f6b5c02094cd4dc0c598fa"}], "title": "drm/xe: Fix memory leak in xe_vm_madvise_ioctl", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[293032eec4baa04374d62dd44de61e355296ad32,c3aa7b837920c844d5ae0dd3dbaeb465a461de40)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[293032eec4baa04374d62dd44de61e355296ad32,1c87b48a0ff040723f84a67b32892af7e6a3634f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[293032eec4baa04374d62dd44de61e355296ad32,0cfe9c4838f1147713f6b5c02094cd4dc0c598fa)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T19:06:43.075875+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that contains the commit 29bd06faf guaranteeing proper cleanup of virtual memory areas in xe_vm_madvise_ioctl", "Verify that the running kernel includes the patch by checking the kernel version and confirming the presence of the commit in the git log", "If a kernel update is not immediately possible, monitor system memory usage for unexpected growth patterns that could indicate an unresolved leak and consider restarting affected services or the host to reclaim memory", "Restrict access to the graphics device to trusted processes to reduce the risk of unintended ioctl invocations"], "summary": {"action": "Apply patch", "impact": "Memory leak that can cause denial of service"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel version that contains the DRM Xe driver before the patch identified by commit 29bd06faf indeed contains the bug. This includes all kernel releases that have not incorporated the commit that enforces proper cleanup. Users of older kernels or custom builds that did not apply the fix remain vulnerable.", "description_and_impact": "The Linux kernel\u2019s DRM Xe driver had a flaw in the xe_vm_madvise_ioctl system call. When the validation routine check_bo_args_are_sane() fails, the code previously skipped a cleanup path and left virtual memory areas allocated. Each faulty ioctl call therefore leaks kernel memory. Over time this accumulation can exhaust available memory and degrade overall system performance, potentially leading to a denial\u2011of\u2011service for all processes sharing the kernel\u2019s memory pool.", "risk_and_exploitability": "The CVSS score is not supplied, and the EPSS score is unavailable; the vulnerability is also not listed in the CISA KEV catalog. Because the error path is triggered after a failed validation of the ioctl arguments, exploitation would typically involve invoking xe_vm_madvise_ioctl with parameters that trigger the failure. Based on the description, it is inferred that an attacker would need local execution privileges sufficient to send the ioctl to the graphics device. No published exploits exist as of the provided data, so while the risk of exploitation is real for systems that can repeatedly trigger the failure, the likelihood of widespread or automated attacks appears limited. Nonetheless, the persistent memory consumption remains a realistic threat to system availability."}}}}, "created": "2026-04-03T21:13:21.997908+00:00", "updated": "2026-04-03T21:15:37.055949+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-399"]}