Linux Kernel DRM XE OA UAF in xe_oa_add_config_ioctl()
CVE-2025-71099 Published on January 13, 2026
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping
metrics_lock. Since this lock protects the lifetime of oa_config, an
attacker could guess the id and call xe_oa_remove_config_ioctl() with
perfect timing, freeing oa_config before we dereference it, leading to
a potential use-after-free.
Fix this by caching the id in a local variable while holding the lock.
v2: (Matt A)
- Dropped mutex_unlock(&oa->metrics_lock) ordering change from
xe_oa_remove_config_ioctl()
(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
Products Associated with CVE-2025-71099
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 and below c6d30b65b7a44dac52ad49513268adbf19eab4a2 is affected.
- Version cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 and below 7cdb9a9da935c687563cc682155461fef5f9b48d is affected.
- Version cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 and below dcb171931954c51a1a7250d558f02b8f36570783 is affected.
- Version 6.11 is affected.
- Before 6.11 is unaffected.
- Version 6.12.64, <= 6.12.* is unaffected.
- Version 6.18.4, <= 6.18.* is unaffected.
- Version 6.19, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.