HOMEVULNERABILITIESCVE-2026-52951
HIGH

CVE-2026-52951

Published: June 24, 2026· Updated: Jun 30, 2026

7.8
CVSS v3.1
EPSS:0.18%probability of exploitation in 30 daysPercentile:7.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/dma-buf: handle empty bo and UAF races

There look to be some nasty races here when triggering the

invalidate_mappings hook:

1) We do xe_bo_alloc() followed by the attach, before the actual full bo

init step in xe_dma_buf_init_obj(). However the bo is visible on the

attachments list after the attach. This is bad since exporter driver,

say amdgpu, can at any time call back into our invalidate_mappings hook,

with an empty/bogus bo, leading to potential bugs/crashes.

2) Similar to 1) but here we get a UAF, when the invalidate_mappings

hook is triggered. For example, we get as far as xe_bo_init_locked()

but this fails in some way. But here the bo will be freed on error, but

we still have it attached from dma-buf pov, so if the

invalidate_mappings is now triggered then the bo we access is gone and

we trigger UAF and more bugs/crashes.

To fix this, move the attach step until after we actually have a fully

set up buffer object. Note that the bo is not published to userspace

until later, so not sure what the comment "Don't publish the bo

until we have a valid attachment", is referring to.

We have at least two different customers reporting hitting a NULL ptr

deref in evict_flags when importing something from amdgpu, followed by

triggering the evict flow. Hit rate is also pretty low, which would

hint at some kind of race, so something like 1) or 2) might explain

this.

v2:

- Shuffle the order of the ops slightly (no functional change)

- Improve the comment to better explain the ordering (Matt B)

(cherry picked from commit af1f2ad0c59fe4e2f924c526f66e968289d77971)

NVD Source

Technical Analysis

CVE-2026-52951 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (7)

Quick Facts

CVE IDCVE-2026-52951
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.18%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-52951 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.