PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43395 Linux CVE debrief

CVE-2026-43395 is a Linux kernel issue in the Xe DRM sync parsing path. According to the vendor description, error handling in xe_sync_entry_parse() could return after allocating references, leaving partially initialized sync state behind. The fix routes those failures through a common cleanup path so allocated sync objects are released before returning.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators running affected kernel branches—especially systems using the Xe DRM driver path or multi-user desktops/workstations where local users can exercise kernel interfaces.

Technical summary

The supplied kernel commit message says xe_sync_entry_parse() may allocate references such as a syncobj, fence, chain fence, or user fence before hitting later parse failures. Some error paths returned directly instead of cleaning up, which could leak references and leave partially initialized sync state. The resolution is to route those failures through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning. NVD classifies the weakness as CWE-459 (Incomplete Cleanup) and rates the impact as local, low-privilege, no-user-interaction availability loss (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Defensive priority

Medium. The issue is locally reachable and affects availability rather than confidentiality or integrity, but it is still kernel-level and can accumulate resource leaks. Prioritize patching on systems that expose the Xe DRM path or that rely on stable kernel branches listed by NVD.

Recommended defensive actions

  • Apply the vendor or distro kernel update that includes the cleanup fix.
  • If you track upstream fixes, verify that your branch includes the patch associated with the supplied kernel stable references.
  • Prioritize remediation for affected ranges listed by NVD: Linux kernel 6.8 through before 6.12.78, 6.13 through before 6.18.19, 6.19 through before 6.19.9, and 7.0-rc1.
  • After updating, confirm the running kernel version matches a fixed build from your vendor or backport stream.
  • Monitor affected hosts for unexplained kernel resource growth or instability until patching is complete.

Evidence notes

The CVE description states that xe_sync_entry_parse() could allocate sync-related references and then return from later failure paths without cleanup, causing leaked refs. The supplied NVD record lists CWE-459 and a CVSS vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports a local availability-only impact. NVD also provides affected kernel version ranges and four official kernel patch references.

Official resources

Publicly disclosed in NVD on 2026-05-08 and last modified on 2026-05-21. No KEV listing is present in the supplied data.