HOMEVULNERABILITIESCVE-2026-46224
NONE

CVE-2026-46224

Published: May 28, 2026· Updated: May 28, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.3th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure

When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo

is not freed. Add xe_bo_free(storage) before returning the error.

xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on

error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own

error paths. Otherwise, since xe_gem_prime_import() cannot distinguish

whether the failure originated from xe_dma_buf_init_obj() or from

xe_bo_init_locked(), it cannot safely decide whether the bo should be

freed.

Add comments documenting the ownership semantics: on success, ownership

of storage is transferred to the returned drm_gem_object; on failure,

storage is freed before returning.

v2: Add comments to explain the free logic.

(cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)

NVD Source

Technical Analysis

CVE-2026-46224 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-46224
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 28, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46224 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.