CVE-2026-31566
Published: 24 April 2026
Summary
CVE-2026-31566 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31566 is a use-after-free vulnerability in the Linux kernel's AMDGPU driver, specifically within the amdgpu_amdkfd_submit_ib() function. This function submits a GPU job via amdgpu_ib_schedule(), obtains a fence for waiting on job completion, but incorrectly releases the fence reference using dma_fence_put() before calling dma_fence_wait(). If this is the last reference, the fence may be freed prematurely, leading to a use-after-free condition during the wait operation. The issue was identified via a static analysis warning about passing freed memory and has been assigned CWE-416, with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability. Successful exploitation could result in high-impact confidentiality, integrity, and availability consequences (C:H/I:H/A:H), such as system crashes, data corruption, or potential privilege escalation through the mishandled GPU fence in the AMD KFD (Kernel Fusion Driver) component.
Mitigation involves applying the relevant stable kernel patches, as detailed in the provided references. These include upstream fixes cherry-picked into stable branches, such as commit 138e42be35ff2ce6572ae744de851ea286cf3c69 and others (e.g., 39820864eacd886f1a6f817414fb8f9ea3e9a2b4, 42d248726a0837640452b71c5a202ca3d35239ec), which reorder operations to perform dma_fence_wait() before dma_fence_put(), ensuring the fence reference is held until after the wait completes. Security practitioners should update affected Linux kernels with AMDGPU support to these patched versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25459
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence from amdgpu_ib_schedule(). This fence is used to wait for job completion. Currently, the…
more
code drops the fence reference using dma_fence_put() before calling dma_fence_wait(). If dma_fence_put() releases the last reference, the fence may be freed before dma_fence_wait() is called. This can lead to a use-after-free. Fix this by waiting on the fence first and releasing the reference only after dma_fence_wait() completes. Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696) (cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in AMDGPU/KFD kernel driver directly enables local privilege escalation from low-privileged user context via crafted GPU job submission.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-31566 by requiring timely application of kernel patches that fix the use-after-free in amdgpu_amdkfd_submit_ib by reordering dma_fence_wait before dma_fence_put.
Enables identification of the AMDGPU driver use-after-free vulnerability through regular vulnerability scanning of kernel components.
Provides kernel memory protection techniques that can reduce the exploitability of use-after-free errors in GPU fence handling.