CVE-2026-31785

Vulnerability

Overview

The Linux kernel's DRM/XE page fault handler, in the xe_pagefault_service function, fails to reject write or atomic access to read-only virtual memory areas (VMAs). This missing permission check allows a page fault to be serviced even when the VMA is marked read-only, violating the expected memory protection semantics.

Exploitation

Prerequisites

An attacker must have local access to the system and the ability to trigger page faults on GPU memory mappings managed by the XE driver. This typically requires some level of user-space access to the DRM/XE subsystem, such as being able to submit GPU commands or manipulate buffer objects. No special privileges beyond local user access are necessary.

Impact

If successfully exploited, an attacker could write to memory regions that should be read-only, leading to memory corruption. This could be leveraged to escalate privileges, cause a denial of service, or potentially leak sensitive information. The vulnerability is rated Medium (CVSS 5.5) due to the requirement for local access and the need to interact with the GPU driver.

Mitigation

The fix has been applied in the Linux kernel and backported to stable branches via commits [1] and [2]. Users should update their kernel to a version containing the fix or apply the relevant patch. No workaround is available.