CVE-2026-46264 in Linux
Summary
by MITRE • 06/03/2026
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/pf: Fix sysfs initialization
In case of devm_add_action_or_reset() failure the provided cleanup action will be run immediately on the not yet initialized kobject. This may lead to errors like:
[ ] kobject: '(null)' (ff110001393608e0): is not initialized, yet kobject_put() is being called.
[ ] WARNING: lib/kobject.c:734 at kobject_put+0xd9/0x250, CPU#0: kworker/0:0/9
[ ] RIP: 0010:kobject_put+0xdf/0x250
[ ] Call Trace:
[ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe]
[ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe]
[ ] xe_sriov_init_late+0x5f/0x2c0 [xe]
[ ] xe_device_probe+0x5f2/0xc20 [xe]
[ ] xe_pci_probe+0x396/0x610 [xe]
[ ] local_pci_probe+0x47/0xb0
[ ] refcount_t: underflow; use-after-free.
[ ] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x68/0xb0, CPU#0: kworker/0:0/9
[ ] RIP: 0010:refcount_warn_saturate+0x68/0xb0
[ ] Call Trace:
[ ] kobject_put+0x174/0x250
[ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe]
[ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe]
[ ] xe_sriov_init_late+0x5f/0x2c0 [xe]
[ ] xe_device_probe+0x5f2/0xc20 [xe]
[ ] xe_pci_probe+0x396/0x610 [xe]
[ ] local_pci_probe+0x47/0xb0
Fix that by calling kobject_init() and kobject_add() separately and register cleanup action after the kobject is initialized.
Also make this cleanup registration a part of the create helper to fix another mistake, as in the loop we were wrongly passing parent kobject while registering cleanup action, and this resulted in some undetected leaks.
(cherry picked from commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability exists within the Linux kernel's graphics subsystem, specifically in the xe driver's sysfs initialization process for SR-IOV (Single Root I/O Virtualization) functions. The issue stems from improper handling of kernel object initialization sequences when device memory management actions fail. The flaw manifests when devm_add_action_or_reset() encounters an error during system initialization, causing cleanup actions to execute against uninitialized kobjects. This creates a dangerous race condition where cleanup code attempts to operate on kernel objects that have not yet been properly initialized through the standard kobject infrastructure. The vulnerability directly impacts the device driver's ability to manage system resources correctly during hardware probe and initialization phases, potentially leading to system instability and memory corruption.
The technical root cause involves the improper sequencing of kernel object lifecycle management functions within the xe_sriov_pf_sysfs_init() function. When devm_add_action_or_reset() fails, it immediately invokes the registered cleanup action before the kobject has completed its initialization process through kobject_init() and kobject_add(). This violates fundamental kernel object management principles where kobject_put() should only be called on properly initialized objects. The error messages indicate that kobject_put() is being invoked on a null kobject that lacks proper initialization, triggering kernel warnings about uninitialized objects and reference count underflows. This pattern constitutes a classic use-after-free condition as defined by CWE-416, where cleanup code operates on memory that has not yet been properly allocated or initialized.
The operational impact of this vulnerability extends beyond simple initialization failures to potentially compromise system stability and security. During device probe operations, the kernel may experience unexpected crashes or memory corruption when attempting to clean up partially initialized resources. The reference count underflow warning demonstrates that the kernel's memory management subsystem detects an invalid operation where cleanup code attempts to decrement reference counts on objects that were never properly initialized. This could enable attackers to potentially exploit the uninitialized object state to cause system crashes or, in more severe scenarios, achieve privilege escalation through memory corruption. The vulnerability affects systems using Intel xe graphics drivers with SR-IOV capabilities, particularly those implementing PCIe device initialization workflows.
The fix addresses this vulnerability by separating the kobject initialization process into distinct phases: first calling kobject_init() to prepare the object structure, then calling kobject_add() to register it within the kernel's object hierarchy, and finally registering cleanup actions only after successful initialization. This ensures that cleanup actions are never executed against uninitialized objects, preventing the use-after-free conditions that lead to system instability. Additionally, the patch corrects a secondary issue where cleanup actions were being registered with incorrect parent kobject references, which could lead to resource leaks in loop-based initialization scenarios. This approach aligns with ATT&CK technique T1068 by addressing privilege escalation vectors through memory corruption prevention, and follows security best practices for kernel resource management. The fix also ensures proper cleanup registration within the creation helper functions, preventing the accumulation of leaked resources during initialization failures and maintaining system integrity throughout the device driver lifecycle.