CVE-2026-31571 (GCVE-0-2026-31571)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-05-11 22:11
VLAI
Title
drm/i915: Unlink NV12 planes earlier
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/i915: Unlink NV12 planes earlier unlink_nv12_plane() will clobber parts of the plane state potentially already set up by plane_atomic_check(), so we must make sure not to call the two in the wrong order. The problem happens when a plane previously selected as a Y plane is now configured as a normal plane by user space. plane_atomic_check() will first compute the proper plane state based on the userspace request, and unlink_nv12_plane() later clears some of the state. This used to work on account of unlink_nv12_plane() skipping the state clearing based on the plane visibility. But I removed that check, thinking it was an impossible situation. Now when that situation happens unlink_nv12_plane() will just WARN and proceed to clobber the state. Rather than reverting to the old way of doing things, I think it's more clear if we unlink the NV12 planes before we even compute the new plane state. (cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 6a01df2f1b2a3b29721143729a3feff816bc0083 , < 70e2eb91cb6310a3508439f6f2539dfffa0abf77 (git)
Affected: 6a01df2f1b2a3b29721143729a3feff816bc0083 , < 12f3b6cbab8fbeb95097685b40f0147406cf9746 (git)
Affected: 6a01df2f1b2a3b29721143729a3feff816bc0083 , < bfa71b7a9dc6b5b8af157686e03308291141d00c (git)
Create a notification for this product.
Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.18.21 , ≤ 6.18.* (semver)
Unaffected: 6.19.11 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/display/intel_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "70e2eb91cb6310a3508439f6f2539dfffa0abf77",
              "status": "affected",
              "version": "6a01df2f1b2a3b29721143729a3feff816bc0083",
              "versionType": "git"
            },
            {
              "lessThan": "12f3b6cbab8fbeb95097685b40f0147406cf9746",
              "status": "affected",
              "version": "6a01df2f1b2a3b29721143729a3feff816bc0083",
              "versionType": "git"
            },
            {
              "lessThan": "bfa71b7a9dc6b5b8af157686e03308291141d00c",
              "status": "affected",
              "version": "6a01df2f1b2a3b29721143729a3feff816bc0083",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/display/intel_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.21",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.11",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Unlink NV12 planes earlier\n\nunlink_nv12_plane() will clobber parts of the plane state\npotentially already set up by plane_atomic_check(), so we\nmust make sure not to call the two in the wrong order.\nThe problem happens when a plane previously selected as\na Y plane is now configured as a normal plane by user space.\nplane_atomic_check() will first compute the proper plane\nstate based on the userspace request, and unlink_nv12_plane()\nlater clears some of the state.\n\nThis used to work on account of unlink_nv12_plane() skipping\nthe state clearing based on the plane visibility. But I removed\nthat check, thinking it was an impossible situation. Now when\nthat situation happens unlink_nv12_plane() will just WARN\nand proceed to clobber the state.\n\nRather than reverting to the old way of doing things, I think\nit\u0027s more clear if we unlink the NV12 planes before we even\ncompute the new plane state.\n\n(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:11:21.787Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/70e2eb91cb6310a3508439f6f2539dfffa0abf77"
        },
        {
          "url": "https://git.kernel.org/stable/c/12f3b6cbab8fbeb95097685b40f0147406cf9746"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfa71b7a9dc6b5b8af157686e03308291141d00c"
        }
      ],
      "title": "drm/i915: Unlink NV12 planes earlier",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31571",
    "datePublished": "2026-04-24T14:35:50.094Z",
    "dateReserved": "2026-03-09T15:48:24.117Z",
    "dateUpdated": "2026-05-11T22:11:21.787Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31571",
      "date": "2026-05-25",
      "epss": "0.00013",
      "percentile": "0.02246"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31571\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:31.653\",\"lastModified\":\"2026-04-27T20:33:43.247\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915: Unlink NV12 planes earlier\\n\\nunlink_nv12_plane() will clobber parts of the plane state\\npotentially already set up by plane_atomic_check(), so we\\nmust make sure not to call the two in the wrong order.\\nThe problem happens when a plane previously selected as\\na Y plane is now configured as a normal plane by user space.\\nplane_atomic_check() will first compute the proper plane\\nstate based on the userspace request, and unlink_nv12_plane()\\nlater clears some of the state.\\n\\nThis used to work on account of unlink_nv12_plane() skipping\\nthe state clearing based on the plane visibility. But I removed\\nthat check, thinking it was an impossible situation. Now when\\nthat situation happens unlink_nv12_plane() will just WARN\\nand proceed to clobber the state.\\n\\nRather than reverting to the old way of doing things, I think\\nit\u0027s more clear if we unlink the NV12 planes before we even\\ncompute the new plane state.\\n\\n(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.15.1\",\"versionEndExcluding\":\"6.18.21\",\"matchCriteriaId\":\"36BA90C1-6493-4928-A360-8DF69289C352\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.11\",\"matchCriteriaId\":\"4CA2E747-A9EC-4518-9AA2-B4247FC748B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1ECC65A-EE37-4479-8E99-4BB68A22A31F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/12f3b6cbab8fbeb95097685b40f0147406cf9746\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/70e2eb91cb6310a3508439f6f2539dfffa0abf77\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bfa71b7a9dc6b5b8af157686e03308291141d00c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.