CVE-2026-31767

/* * PoC Simulation for CVE-2026-31767 * This code simulates the logic error leading to a division by zero. * Trigger: Loading the i915 driver on affected hardware (e.g., Huawei Matebook E) * in command mode. */ #include <stdio.h> #include <stdlib.h> // Simulated structure for display timings struct display_timing { int htotal; int pixel_clock; // in kHz }; // Vulnerable function logic simulation void calculate_vtotal(struct display_timing *timing) { // Simulate DSC adjustment in command mode (the bug) // In command mode, this adjustment makes htotal extremely small printf("[+] Applying DSC timing adjustment in Command Mode...\n"); timing->htotal = 10; // Abnormally small value due to bug printf("[+] Adjusted htotal: %d\n", timing->htotal); // Calculate line time in microseconds // Logic: (htotal * 1000) / pixel_clock // If htotal is too small, integer division might result in 0 unsigned int line_time_us = (timing->htotal * 1000) / timing->pixel_clock; printf("[+] Calculated line_time_us: %u\n", line_time_us); // The crash happens here when determining vtotal // vtotal calculation typically involves dividing by line_time_us if (line_time_us == 0) { printf("[!] EXPLOIT TRIGGERED: Division by zero! Kernel Panic.\n"); // int vtotal = 1000000 / line_time_us; // This would crash the kernel } else { int vtotal = 1000000 / line_time_us; printf("[-] Safe execution. vtotal: %d\n", vtotal); } } int main() { printf("CVE-2026-31767 PoC Simulation\n"); printf("-------------------------------\n"); struct display_timing timing; timing.pixel_clock = 150000; // Typical pixel clock // Scenario: System enters command mode calculate_vtotal(&timing); return 0; }

{"cve": {"id": "CVE-2026-31767", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:39.870", "lastModified": "2026-05-11T17:53:02.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode\n\nStop adjusting the horizontal timing values based on the\ncompression ratio in command mode. Bspec seems to be telling\nus to do this only in video mode, and this is also how the\nWindows driver does things.\n\nThis should also fix a div-by-zero on some machines because\nthe adjusted htotal ends up being so small that we end up with\nline_time_us==0 when trying to determine the vtotal value in\ncommand mode.\n\nNote that this doesn't actually make the display on the\nHuawei Matebook E work, but at least the kernel no longer\nexplodes when the driver loads.\n\n(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-369"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.12.81", "matchCriteriaId": "D7C26F95-0187-4B01-A110-0643650CED29"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/33b5336e4fd8ba0e40a12989cadb3f5534a0f9e4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4dfce79e098915d8e5fc2b9e1d980bc3251dd32c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/55efe8402f46af8399c8b634a18b130a05fd7820", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/86e926b108880c0109b8635e459450447156aeb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}