CVE-2026-31781
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/ioc32: stop speculation on the drm_compat_ioctl path
The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Spectre-variant speculation vulnerability in the Linux kernel's DRM compat ioctl path allows an attacker to leak kernel memory via a user-controlled index into a function pointer table.
Vulnerability
The Linux kernel's DRM subsystem contains a speculation vulnerability in the drm_compat_ioctl function. This function takes a user-controlled index and uses it to dereference a table of function pointers. Without proper bounds checking, speculative execution can access out-of-bounds memory, leaking sensitive data. This is a classic Spectre v1 (bounds check bypass) pattern [1].
Exploitation
An attacker must have local access to a DRM device (e.g., /dev/dri/card0) and be able to issue DRM ioctl calls. No special privileges beyond a local user account are required. The attacker can train the branch predictor to speculatively execute with an attacker-chosen index, causing the CPU to speculatively read kernel memory at an arbitrary offset. This speculative read can be observed via a cache side-channel, allowing the attacker to infer the contents of kernel memory.
Impact
Successful exploitation could allow an unprivileged local attacker to read arbitrary kernel memory, potentially leaking sensitive information such as cryptographic keys, passwords, or other secrets. The CVSS v3 score is 5.5 (Medium), reflecting the requirement for local access and the high confidentiality impact.
Mitigation
The fix adds a call to array_index_nospec() before indexing into the function pointer table, preventing speculative out-of-bounds access. The patch has been applied to the mainline kernel and backported to stable branches [1]. Users should update to a patched kernel version to mitigate this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.16.63,<3.17
- cpe:2.3:o:linux:linux_kernel:4.20:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/27ef84bba9b9d7b03418c60fbc6069ea0e87b13cnvdPatch
- git.kernel.org/stable/c/46a60ee8956ef1975f00455f614761c7ecedc09dnvdPatch
- git.kernel.org/stable/c/489f2ef2b908898d01df697dc4fe1476674be640nvdPatch
- git.kernel.org/stable/c/4a41c2b18fc05d30b718d2602cac339eae710b34nvdPatch
- git.kernel.org/stable/c/5bb398991f378ef74d90b14a6ea8b61ff96cc03anvdPatch
- git.kernel.org/stable/c/d59c5d8539662d95887b4564f3f72ad38076a2d5nvdPatch
- git.kernel.org/stable/c/f0e441be08a2eab10b2d06fccfa267ee599dd6b3nvdPatch
- git.kernel.org/stable/c/f8995c2df519f382525ca4bc90553ad2ec611067nvdPatch
News mentions
0No linked articles in our index yet.