Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-06T00:00:00 kernel: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CWE-1285

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)

A flaw was found in the Linux kernel's drm/xe module. A local user can exploit this vulnerability by providing a malformed pat_index value through the madvise IOCTL. This allows the xe_pat_index_get_coh_mode() function to perform an out-of-bounds read from the xe->pat.table array, leading to information disclosure from kernel memory.

Red Hat acknowledges the upstream Linux kernel correction for «drm/xe» as described in COMMENT_ZERO. Fixes are delivered through standard kernel errata for supported products. Operational exposure depends on whether this subsystem or driver is active in your configuration. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-43280 https://nvd.nist.gov/vuln/detail/CVE-2026-43280 https://lore.kernel.org/linux-cve-announce/2026050613-CVE-2026-43280-bd23@gregkh/T