PT-2026-51870 · Linux · Linux

Published

2026-06-24

Updated

2026-06-24

CVE-2026-52976

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix error cleanup in xe exec queue create ioctl()

Two error handling issues exist in xe exec queue create ioctl():

When xe hw engine group add exec queue() fails, the error path jumps to put exec queue which skips xe exec queue kill(). If the VM is in preempt fence mode, xe vm add compute exec queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed.
When xa alloc() fails after xe hw engine group add exec queue() has succeeded, the error path does not call xe hw engine group del exec queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free.

Fix both by:

Changing the xe hw engine group add exec queue() failure path to jump to kill exec queue so that xe exec queue kill() properly removes the queue from the VM's compute list.
Adding a del hw engine group label before kill exec queue for the xa alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup.

(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)

Found an issue in the description? Have something to add? Feel free to write us 👾

CVE-2026-52976

Linux