CVE-2026-31571
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Unlink NV12 planes earlier
unlink_nv12_plane() will clobber parts of the plane state potentially already set up by plane_atomic_check(), so we must make sure not to call the two in the wrong order. The problem happens when a plane previously selected as a Y plane is now configured as a normal plane by user space. plane_atomic_check() will first compute the proper plane state based on the userspace request, and unlink_nv12_plane() later clears some of the state.
This used to work on account of unlink_nv12_plane() skipping the state clearing based on the plane visibility. But I removed that check, thinking it was an impossible situation. Now when that situation happens unlink_nv12_plane() will just WARN and proceed to clobber the state.
Rather than reverting to the old way of doing things, I think it's more clear if we unlink the NV12 planes before we even compute the new plane state.
(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's drm/i915 driver, improper ordering of NV12 plane unlinking can cause plane state corruption, leading to display issues or system crash.
Vulnerability
Root Cause The vulnerability is in the i915 DRM driver for Intel graphics in the Linux kernel. The function unlink_nv12_plane() is called after plane_atomic_check() when a plane previously used as a Y plane for NV12 format is reconfigured to a normal plane. This overwrites plane state computed by plane_atomic_check(), causing corruption. The issue was introduced when a visibility check in unlink_nv12_plane() was removed, making it always proceed and clobber the state.
Exploitation
Exploitation requires the ability to reconfigure display planes via DRM ioctl, typically available to local users with direct rendering access (e.g., through a display server). An attacker must trigger a specific sequence of plane configuration changes to induce the misordering. No special privileges beyond opening and controlling a DRM device are needed.
Impact
Successful exploitation can cause incorrect plane composition, display artifacts, or a kernel crash, leading to a denial of service. The impact is local availability, reflected in the Medium severity and CVSS v3 score of 5.5.
Mitigation
The issue is fixed by reordering operations to unlink NV12 planes before computing new plane state. Patches were applied to stable kernel branches, as referenced in commits [1], [2], and [3]. Users should update to a kernel version containing these fixes.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.15.1,<6.18.21
- cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.