{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "eb289a5f6cc668853f9b2ea6aca04afe58ed11c7"
            },
            {
              "fixed": "39fdac6be02eb7c3460518c1c4085f75f935c4ce"
            },
            {
              "fixed": "827062952ed9bdf4220466c1f05ce452d04bdedf"
            },
            {
              "fixed": "155a372a1cc50fa93387c5d3cdfd614a61e1afd1"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.18.0"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52950.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/dma-buf: fix UAF with retry loop\n\nRetry doesn't work here, since bo will be freed on error, leading to\nUAF. However, now that we do the alloc \u0026 init before the attach, we can\nnow combine this as one unit and have the init do the alloc for us. This\nshould make the retry safe.\n\nReported by Sashiko.\n\nv2: Fix up the error unwind (CI)\n\n(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)",
  "id": "CVE-2026-52950",
  "modified": "2026-07-08T05:36:00.059021224Z",
  "published": "2026-06-24T16:28:33.469Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/155a372a1cc50fa93387c5d3cdfd614a61e1afd1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39fdac6be02eb7c3460518c1c4085f75f935c4ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/827062952ed9bdf4220466c1f05ce452d04bdedf"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52950.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-52950"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52950.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52950"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492318"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "drm/xe/dma-buf: fix UAF with retry loop"
}