CVE-2026-31562

Source
https://cve.org/CVERecord?id=CVE-2026-31562
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31562.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31562
Downstream
Related
Published
2026-04-24T14:35:43.950Z
Modified
2026-07-09T18:31:37.028275476Z
Summary
drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: dsi: Store driver data before invoking mipidsihost_register

The call to mipidsihostregister triggers a callback to mtkdsibind, which uses devgetdrvdata to retrieve the mtkdsi struct, so this structure needs to be stored inside the driver data before invoking it.

As drvdata is currently uninitialized it leads to a crash when registering the DSI DRM encoder right after acquiring the modeconfig.idrmutex, blocking all subsequent DRM operations.

Fixes the following crash during mediatek-drm probe (tested on Xiaomi Smart Clock x04g):

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 [...] Modules linked in: mediatekdrm(+) drmdisplayhelper cec drmclientlib drmdmahelper drmkmshelper panelsimple [...] Call trace: drmmodeobject_add+0x58/0x98 (P) __drmencoderinit+0x48/0x140 drmencoderinit+0x6c/0xa0 drmsimpleencoderinit+0x20/0x34 [drmkmshelper] mtkdsibind+0x34/0x13c [mediatekdrm] componentbindall+0x120/0x280 mtkdrmbind+0x284/0x67c [mediatekdrm] trytobringupaggregatedevice+0x23c/0x320 __componentadd+0xa4/0x198 componentadd+0x14/0x20 mtkdsihostattach+0x78/0x100 [mediatekdrm] mipidsiattach+0x2c/0x50 panelsimpledsiprobe+0x4c/0x9c [panelsimple] mipidsidrvprobe+0x1c/0x28 reallyprobe+0xc0/0x3dc __driverprobedevice+0x80/0x160 driverprobedevice+0x40/0x120 __deviceattachdriver+0xbc/0x17c bus_foreachdrv+0x88/0xf0 __deviceattach+0x9c/0x1cc deviceinitialprobe+0x54/0x60 busprobedevice+0x34/0xa0 deviceadd+0x5b0/0x800 mipidsideviceregisterfull+0xdc/0x16c mipidsihostregister+0xc4/0x17c mtkdsiprobe+0x10c/0x260 [mediatekdrm] platformprobe+0x5c/0xa4 reallyprobe+0xc0/0x3dc __driverprobedevice+0x80/0x160 driverprobedevice+0x40/0x120 __driverattach+0xc8/0x1f8 busforeachdev+0x7c/0xe0 driverattach+0x24/0x30 busadddriver+0x11c/0x240 driverregister+0x68/0x130 __platformregisterdrivers+0x64/0x160 mtkdrminit+0x24/0x1000 [mediatekdrm] dooneinitcall+0x60/0x1d0 doinitmodule+0x54/0x240 loadmodule+0x1838/0x1dc0 initmodulefrom_file+0xd8/0xf0 __arm64sysfinitmodule+0x1b4/0x428 invokesyscall.constprop.0+0x48/0xc8 doel0svc+0x3c/0xb8 el0svc+0x34/0xe8 el0t64synchandler+0xa0/0xe4 el0t64sync+0x198/0x19c Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31562.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e4732b590a77318dff134612b013d66d2448ab20
Fixed
9a709b7e36324dfc1e6728eb81405470b7ae84e5
Fixed
df03f5ac1eae7c5a2c01846e3e64dfc2870eec6b
Fixed
4cfdfeb6ac06079f92fccd977fa742d6c5b8dd3a

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31562.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31562.json"