{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "ada7486c5668db542a7d361268df931aca5b726a"
            },
            {
              "fixed": "ffba51100ff61792fefbae11ca38ac1987a818dd"
            },
            {
              "fixed": "79f52655567a6471ff3d0d6325ede91bb14461f4"
            },
            {
              "fixed": "fbbe32618e97eff81577a01eb7d9adcd64a216d7"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.18.0"
            },
            {
              "fixed": "6.18.16"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43280.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise\n\nWhen user provides a bogus pat_index value through the madvise IOCTL, the\nxe_pat_index_get_coh_mode() function performs an array access without\nvalidating bounds. This allows a malicious user to trigger an out-of-bounds\nkernel read from the xe-\u003epat.table array.\n\nThe vulnerability exists because the validation in madvise_args_are_sane()\ndirectly calls xe_pat_index_get_coh_mode(xe, args-\u003epat_index.val) without\nfirst checking if pat_index is within [0, xe-\u003epat.n_entries).\n\nAlthough xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug\nbuilds, it still performs the unsafe array access in production kernels.\n\nv2(Matthew Auld)\n- Using array_index_nospec() to mitigate spectre attacks when the value\nis used\n\nv3(Matthew Auld)\n- Put the declarations at the start of the block\n\n(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)",
  "id": "CVE-2026-43280",
  "modified": "2026-07-08T05:37:18.654781724Z",
  "published": "2026-05-06T11:29:01.562Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43280.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43280"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise"
}