CVE-2026-31667
Published: 24 April 2026
Summary
CVE-2026-31667 is a high-severity Improper Locking (CWE-667) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of the kernel flaw via patches that introduce a state_lock spinlock to break the circular locking dependency in uinput.
Ensures organizations receive, disseminate, and assess kernel advisories recommending stable repository patches for this uinput locking vulnerability.
Enables vulnerability scanning to identify systems running vulnerable Linux kernel versions affected by the uinput circular locking dependency.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel improper locking (CWE-667) in uinput/ff-core enables privilege escalation via memory corruption/race conditions and system DoS via deadlock from a low-privileged attacker.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN…
more
RING under Wine with a Flydigi Vader 5 controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex The cycle is caused by four lock acquisition paths: 1. ff upload: input_ff_upload() holds ff->mutex and calls uinput_dev_upload_effect() -> uinput_request_submit() -> uinput_request_send(), which acquires udev->mutex. 2. device create: uinput_ioctl_handler() holds udev->mutex and calls uinput_create_device() -> input_register_device(), which acquires input_mutex. 3. device register: input_register_device() holds input_mutex and calls kbd_connect() -> input_register_handle(), which acquires dev->mutex. 4. evdev release: evdev_release() calls input_flush_device() under dev->mutex, which calls input_ff_flush() acquiring ff->mutex. Fix this by introducing a new state_lock spinlock to protect udev->state and udev->dev access in uinput_request_send() instead of acquiring udev->mutex. The function only needs to atomically check device state and queue an input event into the ring buffer via uinput_dev_event() -- both operations are safe under a spinlock (ktime_get_ts64() and wake_up_interruptible() do not sleep). This breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in the lock ordering and cannot form cycles with mutexes. To keep state transitions visible to uinput_request_send(), protect writes to udev->state in uinput_create_device() and uinput_destroy_device() with the same state_lock spinlock. Additionally, move init_completion(&request->done) from uinput_request_send() to uinput_request_submit() before uinput_request_reserve_slot(). Once the slot is allocated, uinput_flush_requests() may call complete() on it at any time from the destroy path, so the completion must be initialised before the request becomes visible. Lock ordering after the fix: ff->mutex -> state_lock (spinlock, leaf) udev->mutex -> state_lock (spinlock, leaf) udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)
Deeper analysisAI
CVE-2026-31667 affects the Linux kernel's uinput subsystem, specifically involving a circular locking dependency with the ff-core force-feedback component. This vulnerability triggers a reproducible lockdep warning when using force-feedback gamepads via uinput, such as a Flydigi Vader 5 controller while playing ELDEN RING under Wine. The cycle arises from four lock acquisition paths: ff effect upload acquiring ff->mutex then udev->mutex; uinput device creation holding udev->mutex then input_mutex; device registration holding input_mutex then dev->mutex; and evdev release holding dev->mutex then ff->mutex.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering the locking paths, potentially leading to high impacts on confidentiality, integrity, and availability due to the improper locking (CWE-667).
Kernel advisories recommend applying patches from the stable repository to mitigate the issue. The fix introduces a new state_lock spinlock to protect udev->state and udev->dev accesses in uinput_request_send(), replacing the broader udev->mutex and breaking the ff->mutex to udev->mutex link, as spinlocks are leaves in lock ordering. State transitions in uinput_create_device() and uinput_destroy_device() are also protected by this spinlock, with additional changes to completion initialization in uinput_request_submit(). Relevant commits include https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0, https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328, https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617, https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2, and https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d.
Details
- CWE(s)