PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43396 Linux CVE debrief

CVE-2026-43396 is a Linux kernel vulnerability in the drm/xe/sync path where a failed dma_fence_chain_alloc() could leave a user fence reference unreleased. NVD rates it medium severity with a local availability impact, and the issue is tracked as CWE-401 (memory leak).

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Organizations running affected Linux kernel builds, especially systems using the Xe DRM graphics stack, should care most. This is most relevant for security teams managing workstation, desktop, or GPU-enabled Linux environments and anyone maintaining kernel-based fleets.

Technical summary

According to the kernel fix description, if dma_fence_chain_alloc() fails, the code path did not properly drop the user fence reference, causing a memory leak. NVD maps the issue to CWE-401 and assigns CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a locally reachable availability issue rather than confidentiality or integrity compromise. NVD’s vulnerable CPE criteria include Linux kernel versions 6.18.1 through before 6.18.20, 6.19 through before 6.19.9, and specific release/build entries including 6.18, 6.18-rc5, 6.18-rc6, 6.18-rc7, and 7.0-rc1.

Defensive priority

Medium. The vulnerability requires local access and privileges, but it can still degrade availability through resource leakage, so patched kernel maintenance should be prioritized for affected systems.

Recommended defensive actions

  • Review whether your Linux kernel build matches the affected NVD version ranges or listed release candidates.
  • Apply the vendor/kernel patches referenced by the official stable git.kernel.org links.
  • Prioritize remediation on systems that expose the Xe DRM stack or are operationally sensitive to memory exhaustion.
  • Monitor kernel release channels and your distribution backports for the fix if you cannot immediately move to an unaffected version.
  • Use standard patch verification and reboot/change-management processes to confirm the fixed kernel is active.

Evidence notes

All conclusions are based on the supplied NVD record, its CVSS/CWE metadata, the CVE publication timestamps, and the linked official kernel patch references. The kernel change description states that a user fence reference must be released when dma_fence_chain_alloc() fails, preventing a memory leak. NVD lists no KEV entry and assigns a local, availability-focused CVSS profile.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-08; last modified in the supplied record on 2026-05-21. No KEV listing is indicated in the provided enrichment data.