๐Ÿ›ก๏ธ CVE-2026-31656
๐ŸŸ  CVSS 7.8 โ€” High โœ… No Known Exploit CWE-191 NVD
7.8
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request. The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement on another CPU can drop the engine wakeref to zero, triggering __engine_park() -> intel_engine_park_heartbeat(). If the heartbeat timer is pending at that point, cancel_delayed_work() returns true and intel_engine_park_heartbeat() reads the stale non-NULL systole pointer and calls i915_request_put() on it again, causing a refcount underflow: ``` [487.221889] Workqueue: i915-unordered engine_retire [i915] [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0 ... [487.222707] Call Trace: [487.222711] [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915] [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915] [487.223566] __engine_park+0xb9/0x650 [i915] [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915] [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915] [487.224797] intel_context_exit_engine+0x7c/0x80 [i915] [487.225238] intel_context_exit+0xf1/0x1b0 [i915] [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915] [487.226178] i915_request_retire+0x1c/0x40 [i915] [487.226625] engine_retire+0x122/0x180 [i915] [487.227037] process_one_work+0x239/0x760 [487.227060] worker_thread+0x200/0x3f0 [487.227068] ? __pfx_worker_thread+0x10/0x10 [487.227075] kthread+0x10d/0x150 [487.227083] ? __pfx_kthread+0x10/0x10 [487.227092] ret_from_fork+0x3d4/0x480 [487.227099] ? __pfx_kthread+0x10/0x10 [487.227107] ret_from_fork_asm+0x1a/0x30 [487.227141] ``` Fix this by replacing the non-atomic pointer read + separate clear with xchg() in both racing paths. xchg() is a single indivisible hardware instruction that atomically reads the old pointer and writes NULL. This guarantees only one of the two concurrent callers obtains the non-NULL pointer and performs the put, the other gets NULL and skips it. (cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)

Details

Severity HIGH
CVSS Score 7.8
CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE CWE-191
Public Exploit โœ… No
Source NVD
Published 2026-04-24
Updated 2026-06-02
Modified 2026-06-01

Affected Packages

Software From version Fixed in
linux-kernel โ€” โ€”

Similar Threats

Patch Gap Protection

Running software with known vulnerabilities?

BotEraser can help reduce exposure by blocking IPs associated with exploit activity โ€” even before a patch is available.

Start Free โ†’

No credit card required  ยท  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.