VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 22, 2026· Updated May 7, 2026

CVE-2026-31461

CVE-2026-31461

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix drm_edid leak in amdgpu_dm

[WHAT] When a sink is connected, aconnector->drm_edid was overwritten without freeing the previous allocation, causing a memory leak on resume.

[HOW] Free the previous drm_edid before updating it.

(cherry picked from commit 52024a94e7111366141cfc5d888b2ef011f879e5)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in the Linux kernel's AMD GPU display driver occurs when a sink is connected, as the previous drm_edid is not freed before overwriting.

Vulnerability

In the Linux kernel's AMD GPU display driver (amdgpu_dm), a memory leak vulnerability exists in the handling of EDID data. When a display sink is connected, the connector->drm_edid pointer is overwritten with a new allocation without first freeing the previously allocated drm_edid. This results in a memory leak, particularly noticeable on system resume [1].

Exploitation

The vulnerability is triggered during normal operation, when a display is connected or during resume from suspend, the driver updates the EDID information. An attacker with local access could potentially trigger repeated connect/disconnect cycles to exacerbate the leak, leading to memory exhaustion over time. No special privileges beyond normal user access are required to trigger the code path [2].

Impact

An attacker could cause a denial of service by exhausting kernel memory through repeated EDID updates, leading to system instability or crash. The vulnerability is rated Medium (CVSS 5.5) due to the need for local access and the limited impact on confidentiality or integrity [3].

Mitigation

The fix is included in the Linux kernel commit 52024a94e711, which frees the previous drm_edid before assigning the new one. Users should update to a kernel version containing this patch. No workaround is available other than applying the update [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Linux/Kernel6 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.13,<6.18.21
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.