CVE-2026-31766 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that use AMDGPU and expose user queue creation to untrusted local users. Because the CVSS vector is local and low-privilege, multi-user workstations and other shared hosts deserve particular attention.

Technical summary

The vulnerable path is amdgpu_userq_get_doorbell_index(), which passed a user-provided doorbell_offset to amdgpu_doorbell_index_on_bar() without first verifying that the offset fit within the allocated doorbell BO. An oversized offset could calculate an index outside the intended doorbell range, risking kernel doorbell space corruption. The fix adds bounds validation before index calculation and uses u64 arithmetic to avoid overflow.

Defensive priority

High for affected Linux kernels with AMDGPU enabled; prioritize rapid patching on shared or multi-user systems where local users can create queues.

Recommended defensive actions

• Apply the Linux kernel updates that include the AMDGPU doorbell_offset validation fix.
• If you maintain a downstream kernel, verify that the patch from the referenced stable kernel commits is present in your tree.
• Inventory hosts running affected Linux kernel versions listed by NVD and prioritize those with AMDGPU in use.
• Treat untrusted local access on affected systems as a meaningful risk until patched, because the attack vector is local and low-privilege.
• Use the official NVD and CVE records to confirm whether your deployed kernel build is in the affected range before scheduling remediation.

Evidence notes

All statements are based on the supplied NVD record and the linked kernel patch references. NVD lists the issue as analyzed, with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The supplied record identifies affected Linux kernel ranges as 6.16 through before 6.18.22, 6.19 through before 6.19.12, and 7.0-rc1 through 7.0-rc6. No KEV entry or exploitation reporting was supplied in the corpus.

Official resources