CVE-2026-31656

Description

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request. The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement on another CPU can drop the engine wakeref to zero, triggering __engine_park() -> intel_engine_park_heartbeat(). If the heartbeat timer is pending at that point, cancel_delayed_work() returns true and intel_engine_park_heartbeat() reads the stale non-NULL systole pointer and calls i915_request_put() on it again, causing a refcount underflow: ``` <4> [487.221889] Workqueue: i915-unordered engine_retire [i915] <4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0 ... <4> [487.222707] Call Trace: <4> [487.222711] <TASK> <4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915] <4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915] <4> [487.223566] __engine_park+0xb9/0x650 [i915] <4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915] <4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915] <4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915] <4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915] <4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915] <4> [487.226178] i915_request_retire+0x1c/0x40 [i915] <4> [487.226625] engine_retire+0x122/0x180 [i915] <4> [487.227037] process_one_work+0x239/0x760 <4> [487.227060] worker_thread+0x200/0x3f0 <4> [487.227068] ? __pfx_worker_thread+0x10/0x10 <4> [487.227075] kthread+0x10d/0x150 <4> [487.227083] ? __pfx_kthread+0x10/0x10 <4> [487.227092] ret_from_fork+0x3d4/0x480 <4> [487.227099] ? __pfx_kthread+0x10/0x10 <4> [487.227107] ret_from_fork_asm+0x1a/0x30 <4> [487.227141] </TASK> ``` Fix this by replacing the non-atomic pointer read + separate clear with xchg() in both racing paths. xchg() is a single indivisible hardware instruction that atomically reads the old pointer and writes NULL. This guarantees only one of the two concurrent callers obtains the non-NULL pointer and performs the put, the other gets NULL and skips it. (cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.8

Linux Kernel stable branches before commit 2af8b200cae3fdd0e917ecc2753b28bb40c876c1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual PoC for CVE-2026-31656 (Race Condition)
 * This code attempts to trigger the race by spamming GPU operations.
 * Requires root/sudo to interact with kernel modules directly in some setups,
 * but the vulnerability is triggered by local unprivileged users.
 */

#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>

#define DEVICE_PATH "/dev/dri/card0" // Typical path for i915

void* workload_thread(void* arg) {
    // Simulate heavy workload to trigger engine park/unpark cycles
    // In a real exploit, this involves specific DRM_IOCTL calls
    for (int i = 0; i < 10000; i++) {
        // Placeholder for actual ioctl calls to i915
        // ioctl(fd, DRM_IOCTL_I915_GEM_EXECBUFFER2, ...);
        usleep(1);
    }
    return NULL;
}

int main() {
    pthread_t t1, t2;
    int fd = open(DEVICE_PATH, O_RDWR);
    if (fd < 0) {
        perror("Failed to open device");
        return 1;
    }

    printf("[+] Starting race condition trigger for CVE-2026-31656\n");

    // Create multiple threads to increase likelihood of race
    pthread_create(&t1, NULL, workload_thread, NULL);
    pthread_create(&t2, NULL, workload_thread, NULL);

    pthread_join(t1, NULL);
    pthread_join(t2, NULL);

    close(fd);
    printf("[+] Exploit attempt finished. Check dmesg for refcount errors.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31656
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31656
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31656/
[4] VulDB https://vuldb.com/cve/CVE-2026-31656
[5] https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1
[6] https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657
[7] https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061
[8] https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68
[9] https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4
[10] https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7
[11] https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31656", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:45.097", "lastModified": "2026-04-27T20:16:43.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine->heartbeat.systole request.\n\nThe heartbeat worker reads engine->heartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]\n<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n<4> [487.222707] Call Trace:\n<4> [487.222711] <TASK>\n<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]\n<4> [487.223566] __engine_park+0xb9/0x650 [i915]\n<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]\n<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]\n<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]\n<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]\n<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]\n<4> [487.226625] engine_retire+0x122/0x180 [i915]\n<4> [487.227037] process_one_work+0x239/0x760\n<4> [487.227060] worker_thread+0x200/0x3f0\n<4> [487.227068] ? __pfx_worker_thread+0x10/0x10\n<4> [487.227075] kthread+0x10d/0x150\n<4> [487.227083] ? __pfx_kthread+0x10/0x10\n<4> [487.227092] ret_from_fork+0x3d4/0x480\n<4> [487.227099] ? __pfx_kthread+0x10/0x10\n<4> [487.227107] ret_from_fork_asm+0x1a/0x30\n<4> [487.227141] </TASK>\n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5.1", "versionEndExcluding": "5.15.203", "matchCriteriaId": "6A1B622D-B57C-432F-A03B-40A25B6C1E06"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.169", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.135", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.82", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.23", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.13", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*", "matchCriteriaId": "EE98F46A-F7D9-4609-B6A0-882E7F0D378C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, { ... (truncated)