Cyber Resilience

CVE-2026-31566

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31566 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31566 is a use-after-free vulnerability in the Linux kernel's AMDGPU driver, specifically within the amdgpu_amdkfd_submit_ib() function. This function submits a GPU job via amdgpu_ib_schedule(), obtains a fence for waiting on job completion, but incorrectly releases the fence reference using dma_fence_put() before calling dma_fence_wait(). If this is the last reference, the fence may be freed prematurely, leading to a use-after-free condition during the wait operation. The issue was identified via a static analysis warning about passing freed memory and has been assigned CWE-416, with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability. Successful exploitation could result in high-impact confidentiality, integrity, and availability consequences (C:H/I:H/A:H), such as system crashes, data corruption, or potential privilege escalation through the mishandled GPU fence in the AMD KFD (Kernel Fusion Driver) component.

Mitigation involves applying the relevant stable kernel patches, as detailed in the provided references. These include upstream fixes cherry-picked into stable branches, such as commit 138e42be35ff2ce6572ae744de851ea286cf3c69 and others (e.g., 39820864eacd886f1a6f817414fb8f9ea3e9a2b4, 42d248726a0837640452b71c5a202ca3d35239ec), which reorder operations to perform dma_fence_wait() before dma_fence_put(), ensuring the fence reference is held until after the wait completes. Security practitioners should update affected Linux kernels with AMDGPU support to these patched versions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence from amdgpu_ib_schedule(). This fence is used to wait for job completion. Currently, the…

more

code drops the fence reference using dma_fence_put() before calling dma_fence_wait(). If dma_fence_put() releases the last reference, the fence may be freed before dma_fence_wait() is called. This can lead to a use-after-free. Fix this by waiting on the fence first and releasing the reference only after dma_fence_wait() completes. Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696) (cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free in AMDGPU/KFD kernel driver directly enables local privilege escalation from low-privileged user context via crafted GPU job submission.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.0, 7.0 · 6.0.1 — 6.1.168 · 6.2 — 6.6.131 · 6.7 — 6.12.80

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-31566 by requiring timely application of kernel patches that fix the use-after-free in amdgpu_amdkfd_submit_ib by reordering dma_fence_wait before dma_fence_put.

detect

Enables identification of the AMDGPU driver use-after-free vulnerability through regular vulnerability scanning of kernel components.

prevent

Provides kernel memory protection techniques that can reduce the exploitability of use-after-free errors in GPU fence handling.

References