CVE-2026-31667

#include <linux/uinput.h> #include <fcntl.h> #include <string.h> #include <unistd.h> // PoC Concept: Trigger circular locking dependency // This requires a setup that mimics the interaction between uinput and ff-core. int main() { int fd = open("/dev/uinput", O_WRONLY | O_NONBLOCK); if (fd < 0) return 1; // Enable Force Feedback capability ioctl(fd, UI_SET_EVBIT, EV_FF); // ... setup device ... // Create device struct uinput_user_dev uidev = {0}; strcpy(uidev.name, "PoC-Device"); write(fd, &uidev, sizeof(uidev)); ioctl(fd, UI_DEV_CREATE); // Trigger upload effect (holds ff->mutex, tries udev->mutex) struct ff_effect effect = {0}; ioctl(fd, EVIOCSFF, &effect); // Concurrently trigger release/destroy operations to race with upload // This requires multi-threading to hit the specific lock order race condition. close(fd); return 0; }

{"cve": {"id": "CVE-2026-31667", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:46.390", "lastModified": "2026-04-27T20:00:40.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff->mutex and calls\n uinput_dev_upload_effect() -> uinput_request_submit() ->\n uinput_request_send(), which acquires udev->mutex.\n\n2. device create: uinput_ioctl_handler() holds udev->mutex and calls\n uinput_create_device() -> input_register_device(), which acquires\n input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n calls kbd_connect() -> input_register_handle(), which acquires\n dev->mutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n dev->mutex, which calls input_ff_flush() acquiring ff->mutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev->state and udev->dev access in uinput_request_send() instead of\nacquiring udev->mutex. The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep). This\nbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev->state in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(&request->done) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot(). Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n ff->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "59C4CD77-5444-4760-B0D8-F238740397B4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.169", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.135", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.82", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.23", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.13", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*", "matchCriteriaId": "9E2DBD4C-9DD9-4DD3-87CB-A0070A789CEA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", ... (truncated)