VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 22, 2026· Updated May 7, 2026

CVE-2026-31460

CVE-2026-31460

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: check if ext_caps is valid in BL setup

LVDS connectors don't have extended backlight caps so check if the pointer is valid before accessing it.

(cherry picked from commit 3f797396d7f4eb9bb6eded184bbc6f033628a6f6)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null-pointer dereference in the AMD GPU display driver when setting up backlight on LVDS connectors could cause a denial of service.

Root

Cause

The vulnerability resides in the drm/amd/display driver's backlight (BL) setup routine. When handling LVDS connectors, the code attempts to access extended backlight capabilities (ext_caps) without first verifying that the pointer is valid. LVDS connectors do not provide these extended caps, so the pointer can be NULL, leading to a null-pointer dereference [1].

Exploitation

An attacker would need to have local access to a system with an AMD GPU that uses the affected display driver and an LVDS display panel. No special privileges beyond the ability to trigger display mode changes are required. The bug is triggered during normal display initialization or when the system resumes from suspend, making it reachable without explicit malicious actions [1].

Impact

A successful null-pointer dereference causes a kernel panic, resulting in a denial of service (system crash). The CVSS v3 score of 5.5 (Medium) reflects the local attack vector and the availability impact. No data confidentiality or integrity is compromised [1].

Mitigation

The fix was introduced in Linux kernel commit 2026 via commit 3f797396d7f4 and backported to stable kernels. Users should update to a kernel version containing this commit or the relevant backport. No workaround is available other than applying the patch [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Linux/Kernel6 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.19,<6.19.11
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.