CVE-2026-31488 Linux CVE debrief

Who should care

Kernel and distribution maintainers, especially teams shipping Linux with AMDGPU display support, should treat this as a high-priority graphics stack fix. It also matters to OEMs and users of AMD systems that use MST/DSC display paths or similar multi-monitor KMS workflows, because the bug is triggered by display-configuration changes rather than by a network exposure.

Technical summary

The issue is in drm/amd/display after dsc pre-validation was added. In pre_validate_dsc(), amdgpu could reset mode_changed to false when DSC recomputation showed no timing change for a stream. That is unsafe if the same atomic commit also contains an unrelated mode change on the same CRTC. In that case, dm_update_crtc_state() may already have created a new stream for the mode change, but the later DSC handling suppresses the change flag anyway. The result is inconsistent stream lifetime management in amdgpu_dm_commit_streams() and amdgpu_dm_atomic_commit_tail(), which the report ties to memory leakage and a later use-after-free in dc_stream_release(). The fix restores the earlier mode_changed value instead of unconditionally clearing it.

Defensive priority

High. This is a kernel use-after-free condition in the graphics/display path with CVSS 7.8 (HIGH). Even though local privileges are required, kernel memory corruption can crash systems and potentially undermine system integrity and availability.

Recommended defensive actions

• Apply the Linux kernel fixes referenced in the official record and ensure any downstream stable branches include the backport.
• Upgrade affected kernels to releases outside the NVD-listed vulnerable ranges: 5.18.1 before 6.12.80, 6.13 before 6.18.21, and 6.19 before 6.19.11; also review the explicitly listed 5.18 and 7.0 rc1-rc7 entries.
• If you maintain vendor kernels, verify that the DSC validation logic preserves unrelated mode_changed state across atomic commits.
• Prioritize testing on systems that use AMDGPU with MST/DSC and mixed internal/external display setups, since the bug is tied to those configuration transitions.
• Watch for kernel warnings, KASAN reports, or display-stack crashes involving dc_stream_release and related amdgpu DRM paths until patched builds are deployed.

Evidence notes

The CVE record states that the bug was published on 2026-04-22 and modified on 2026-05-17. NVD classifies it as CWE-416 (Use After Free) with CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.8. The description explicitly links the flaw to drm/amd/display DSC validation, a dropped mode_changed flag, memory leak behavior, and a later use-after-free in dc_stream_release(). NVD references include multiple kernel stable patch links, indicating an official fix path is available.

Official resources