CVE-2026-31571

Source
https://cve.org/CVERecord?id=CVE-2026-31571
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31571.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31571
Downstream
Published
2026-04-24T14:35:50.094Z
Modified
2026-07-15T01:49:10.570671825Z
Summary
drm/i915: Unlink NV12 planes earlier
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Unlink NV12 planes earlier

unlinknv12plane() will clobber parts of the plane state potentially already set up by planeatomiccheck(), so we must make sure not to call the two in the wrong order. The problem happens when a plane previously selected as a Y plane is now configured as a normal plane by user space. planeatomiccheck() will first compute the proper plane state based on the userspace request, and unlinknv12plane() later clears some of the state.

This used to work on account of unlinknv12plane() skipping the state clearing based on the plane visibility. But I removed that check, thinking it was an impossible situation. Now when that situation happens unlinknv12plane() will just WARN and proceed to clobber the state.

Rather than reverting to the old way of doing things, I think it's more clear if we unlink the NV12 planes before we even compute the new plane state.

(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31571.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6a01df2f1b2a3b29721143729a3feff816bc0083
Fixed
70e2eb91cb6310a3508439f6f2539dfffa0abf77
Fixed
12f3b6cbab8fbeb95097685b40f0147406cf9746
Fixed
bfa71b7a9dc6b5b8af157686e03308291141d00c

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31571.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31571.json"