CVE-2026-31656

HIGH EPSS 1.9%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request. The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement on another CPU can drop the engine wakeref to zero, triggering __engine_park() -> intel_engine_park_heartbeat(). If the heartbeat timer is pending at that point, cancel_delayed_work() returns true and intel_engine_park_heartbeat() reads the stale non-NULL systole pointer and calls i915_request_put() on it again, causing a refcount underflow: ``` <4> [487.221889] Workqueue: i915-unordered engine_retire [i915] <4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0 ... <4> [487.222707] Call Trace: <4> [487.222711] <TASK> <4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915] <4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915] <4> [487.223566] __engine_park+0xb9/0x650 [i915] <4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915] <4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915] <4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915] <4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915] <4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915] <4> [487.226178] i915_request_retire+0x1c/0x40 [i915] <4> [487.226625] engine_retire+0x122/0x180 [i915] <4> [487.227037] process_one_work+0x239/0x760 <4> [487.227060] worker_thread+0x200/0x3f0 <4> [487.227068] ? __pfx_worker_thread+0x10/0x10 <4> [487.227075] kthread+0x10d/0x150 <4> [487.227083] ? __pfx_kthread+0x10/0x10 <4> [487.227092] ret_from_fork+0x3d4/0x480 <4> [487.227099] ? __pfx_kthread+0x10/0x10 <4> [487.227107] ret_from_fork_asm+0x1a/0x30 <4> [487.227141] </TASK> ``` Fix this by replacing the non-atomic pointer read + separate clear with xchg() in both racing paths. xchg() is a single indivisible hardware instruction that atomically reads the old pointer and writes NULL. This guarantees only one of the two concurrent callers obtains the non-NULL pointer and performs the put, the other gets NULL and skips it. (cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
1.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-191

Affected Products 14

VendorProductVersionRange
linuxlinux_kernel*≥5.5.1  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.169
linuxlinux_kernel*≥6.2  –  <6.6.135
linuxlinux_kernel*≥6.7  –  <6.12.82
linuxlinux_kernel*≥6.13  –  <6.18.23
linuxlinux_kernel*≥6.19  –  <6.19.13
linuxlinux_kernel5.5any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/82034799c6c14b3104668878c3f3e5786f777126
  • git.kernel.org https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee
    Patch