CVE-2026-46309: cache-bypass leaks

CISO Take

CVE-2026-46309 is a Linux kernel vulnerability in the Intel Xe GPU driver where missing ioctl validation allows a local process to apply a GPU memory flag (coh_none PAT index) that breaks CPU-GPU cache coherency on CPU-cached buffers. When the kernel clears freed pages as part of reallocation, that clear operation stays in CPU cache — but the GPU with coh_none reads DRAM directly, recovering stale data from memory previously owned by other processes. For AI/ML environments with Intel Xe integrated GPUs, this means inference inputs, tokenized prompts, model weights, or activation tensors processed by a co-resident workload could leak across process boundaries to a local attacker. No public exploit exists, the issue is not in CISA KEV, and scope is limited to iGPU (not datacenter discrete GPUs); mitigate by applying the upstream kernel patch (commit 016ccdb674b8) and restricting untrusted local user access to /dev/dri/* device nodes until patched.

Sources: NVD ATLAS

What is the risk?

LOW-MEDIUM for AI/ML contexts. Requires local system access — not remotely exploitable. No CVSS score assigned, no KEV listing, no public exploit or scanner template. Scope restricted to Intel Xe integrated GPUs per v9 of the patch, excluding the datacenter discrete GPU hardware typically used in ML training clusters. Primary exposure surface is edge and on-device AI (developer laptops, workstations with Intel Core iGPU, edge inference nodes) and shared development environments where multiple users or containers share the same host with an Xe iGPU. Exploitation requires kernel ioctl knowledge but no AI/ML expertise.

How does the attack unfold?

Local Access

Attacker obtains local user access on a Linux system running AI workloads on Intel Xe integrated GPU hardware, either via valid credentials or a prior compromise.

AML.T0012

ioctl Exploitation

Attacker calls xe_vm_madvise_ioctl() with a coh_none PAT index on CPU-cached GPU memory buffers, exploiting the missing validation to configure a GPU mapping with no cache coherency.

Cache-Bypass DRAM Read

GPU reads DRAM directly with coh_none, bypassing CPU cache where kernel zeroing wrote zeros — recovering stale data from freed pages previously owned by co-resident AI processes.

AML.T0037

AI Data Exfiltration

Attacker extracts recovered stale content — potentially including inference inputs, tokenized prompts, activation tensors, or model weight fragments — from other AI workloads sharing the host.

AML.T0025

Local Access

Attacker obtains local user access on a Linux system running AI workloads on Intel Xe integrated GPU hardware, either via valid credentials or a prior compromise.

AML.T0012

ioctl Exploitation

Attacker calls xe_vm_madvise_ioctl() with a coh_none PAT index on CPU-cached GPU memory buffers, exploiting the missing validation to configure a GPU mapping with no cache coherency.

Cache-Bypass DRAM Read

GPU reads DRAM directly with coh_none, bypassing CPU cache where kernel zeroing wrote zeros — recovering stale data from freed pages previously owned by co-resident AI processes.

AML.T0037

AI Data Exfiltration

Attacker extracts recovered stale content — potentially including inference inputs, tokenized prompts, activation tensors, or model weight fragments — from other AI workloads sharing the host.

AML.T0025

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

4 steps

Apply the upstream kernel fix: commit 016ccdb674b8c899940b3944952c96a6a490d10a (or stable backports at the three referenced kernel.org commits).
Until patched, restrict /dev/dri/* device node access to trusted users only via udev rules (TAG+="uaccess" only for seat owner) or seccomp filtering on AI inference processes.
On multi-tenant systems, isolate AI inference workloads in dedicated VMs or containers with device passthrough restricted to a single tenant.
Detection: audit madvise ioctl calls specifying coh_none PAT indices on Xe driver systems; no public Nuclei template exists. Monitor dmesg for xe_vm_madvise rejection logs once patched (kernel adds validation logging).

How is it classified?

Data Leakage Privacy Violation Inference Model AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Information security in AI system deployment

NIST AI RMF

MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-46309?

CVE-2026-46309 is a Linux kernel vulnerability in the Intel Xe GPU driver where missing ioctl validation allows a local process to apply a GPU memory flag (coh_none PAT index) that breaks CPU-GPU cache coherency on CPU-cached buffers. When the kernel clears freed pages as part of reallocation, that clear operation stays in CPU cache — but the GPU with coh_none reads DRAM directly, recovering stale data from memory previously owned by other processes. For AI/ML environments with Intel Xe integrated GPUs, this means inference inputs, tokenized prompts, model weights, or activation tensors processed by a co-resident workload could leak across process boundaries to a local attacker. No public exploit exists, the issue is not in CISA KEV, and scope is limited to iGPU (not datacenter discrete GPUs); mitigate by applying the upstream kernel patch (commit 016ccdb674b8) and restricting untrusted local user access to /dev/dri/* device nodes until patched.

Is CVE-2026-46309 actively exploited?

No confirmed active exploitation of CVE-2026-46309 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46309?

1. Apply the upstream kernel fix: commit 016ccdb674b8c899940b3944952c96a6a490d10a (or stable backports at the three referenced kernel.org commits). 2. Until patched, restrict /dev/dri/* device node access to trusted users only via udev rules (TAG+="uaccess" only for seat owner) or seccomp filtering on AI inference processes. 3. On multi-tenant systems, isolate AI inference workloads in dedicated VMs or containers with device passthrough restricted to a single tenant. 4. Detection: audit madvise ioctl calls specifying coh_none PAT indices on Xe driver systems; no public Nuclei template exists. Monitor dmesg for xe_vm_madvise rejection logs once patched (kernel adds validation logging).

What systems are affected by CVE-2026-46309?

This vulnerability affects the following AI/ML architecture patterns: on-device AI inference, GPU-accelerated ML workloads, shared ML development environments, edge AI deployments.

What is the CVSS score for CVE-2026-46309?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

on-device AI inferenceGPU-accelerated ML workloadsshared ML development environmentsedge AI deployments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.4

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

In the Linux kernel, the following vulnerability has been resolved: drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Add validation in xe_vm_madvise_ioctl() to reject PAT indices with XE_COH_NONE coherency mode when applied to CPU cached memory. Using coh_none with CPU cached buffers is a security issue. When the kernel clears pages before reallocation, the clear operation stays in CPU cache (dirty). GPU with coh_none can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes. This aligns with the existing validation in vm_bind path (xe_vm_bind_ioctl_validate_bo). v2(Matthew brost) - Add fixes - Move one debug print to better place v3(Matthew Auld) - Should be drm/xe/uapi - More Cc v4(Shuicheng Lin) - Fix kmem leak issues by the way v5 - Remove kmem leak because it has been merged by another patch v6 - Remove the fix which is not related to current fix v7 - No change v8 - Rebase v9 - Limit the restrictions to iGPU v10 - No change (cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)

Exploitation Scenario

An attacker with local user access on a shared AI development workstation (Intel Core iGPU, running Linux with Xe driver) launches a background process. A legitimate AI inference service on the same host processes a sensitive request — for example, a local LLM handles confidential prompts — and then frees its GPU-mapped buffer. The kernel's memset-to-zero of that page lands in CPU cache but does not flush to DRAM. The attacker's process calls xe_vm_madvise_ioctl() with a coh_none PAT index against a newly allocated buffer mapped to the same physical page, then reads it via GPU DMA — recovering the uncleaned stale content (partial prompt text, token IDs, or activation data) directly from DRAM, bypassing the kernel's zeroing.