CVE-2026-31488
Published: 22 April 2026
Summary
CVE-2026-31488 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31488 is a use-after-free vulnerability (CWE-416) in the Linux kernel's AMDGPU driver, specifically within the drm/amd/display subsystem. The issue stems from incorrect handling of the CRTC state mode_changed flag during DSC (Display Stream Compression) pre-validation in atomic checks. Starting from commit 17ce8a6907f7, the driver resets this flag to false if DSC recomputation results in no timing changes for a stream. However, this overlooks scenarios where unrelated mode changes (e.g., HDR enable/disable on a laptop's integrated panel) coincide with MST/DSC configuration updates, such as plugging in external DP-MST screens. Consequently, new streams are created but old ones are not released, leading to a memory leak and eventual use-after-free when the unreferenced stream is disabled, as evidenced by a KASAN-reported crash in dc_stream_release.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L). Successful exploitation triggers the use-after-free in amdgpu_dm_atomic_commit_tail during stream management, potentially allowing arbitrary code execution, data corruption, or system crashes with high impact on confidentiality, integrity, and availability (CVSS 7.8). The bug manifests in kernel workqueues like drm_mode_rmfb_work_fn, making it triggerable via standard DRM/KMS operations involving display reconfiguration.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 10862e344b4d6434642a48c87d765813fc0b0ba7, 111208b5b7ebcdadb3f922cc52d8425f0fa91b33, 8a5edc97fd9c6415ff2eff872748439a97e3c3d8, and aed3d041ab061ec8a64f50a3edda0f4db7280025. These patches preserve the original mode_changed flag value before DSC validation and restore it afterward, ensuring proper stream release regardless of unrelated mode changes. Systems running affected AMDGPU-enabled kernels should update to a patched version promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24855
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed flag to false…
more
when recomputing the DSC configuration results in no timing change for a particular stream. However, this is incorrect in scenarios where a change in MST/DSC configuration happens in the same KMS commit as another (unrelated) mode change. For example, the integrated panel of a laptop may be configured differently (e.g., HDR enabled/disabled) depending on whether external screens are attached. In this case, plugging in external DP-MST screens may result in the mode_changed flag being dropped incorrectly for the integrated panel if its DSC configuration did not change during precomputation in pre_validate_dsc(). At this point, however, dm_update_crtc_state() has already created new streams for CRTCs with DSC-independent mode changes. In turn, amdgpu_dm_commit_streams() will never release the old stream, resulting in a memory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to the new stream either, which manifests as a use-after-free when the stream gets disabled later on: BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu] Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977 Workqueue: events drm_mode_rmfb_work_fn Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 print_address_description.constprop.0+0x88/0x320 ? dc_stream_release+0x25/0x90 [amdgpu] print_report+0xfc/0x1ff ? srso_alias_return_thunk+0x5/0xfbef5 ? __virt_addr_valid+0x225/0x4e0 ? dc_stream_release+0x25/0x90 [amdgpu] kasan_report+0xe1/0x180 ? dc_stream_release+0x25/0x90 [amdgpu] kasan_check_range+0x125/0x200 dc_stream_release+0x25/0x90 [amdgpu] dc_state_destruct+0x14d/0x5c0 [amdgpu] dc_state_release.part.0+0x4e/0x130 [amdgpu] dm_atomic_destroy_state+0x3f/0x70 [amdgpu] drm_atomic_state_default_clear+0x8ee/0xf30 ? drm_mode_object_put.part.0+0xb1/0x130 __drm_atomic_state_free+0x15c/0x2d0 atomic_remove_fb+0x67e/0x980 Since there is no reliable way of figuring out whether a CRTC has unrelated mode changes pending at the time of DSC validation, remember the value of the mode_changed flag from before the point where a CRTC was marked as potentially affected by a change in DSC configuration. Reset the mode_changed flag to this earlier value instead in pre_validate_dsc(). (cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in AMDGPU display driver enables direct exploitation for privilege escalation via DRM/KMS operations, leading to arbitrary code execution in kernel context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the use-after-free flaw in the AMDGPU driver through application of upstream kernel patches that correctly preserve the mode_changed flag during DSC validation.
Provides kernel memory protections such as non-executable pages and address randomization to mitigate exploitation of the use-after-free in dc_stream_release during stream management.
Enables vulnerability scanning and monitoring to identify affected AMDGPU kernel versions vulnerable to improper CRTC state handling, facilitating prompt patching.