CVE-2026-31479
Received Received - Intake
Use-After-Free in Linux Kernel DRM XE VM Bind Causes System Instability

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: always keep track of remap prev/next During 3D workload, user is reporting hitting: [ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925 [ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy) [ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe] [ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282 [ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000 [ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000 [ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380 [ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380 [ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000 [ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0 [ 413.362088] PKRU: 55555554 [ 413.362089] Call Trace: [ 413.362092] <TASK> [ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe] Which seems to hint that the vma we are re-inserting for the ops unwind is either invalid or overlapping with something already inserted in the vm. It shouldn't be invalid since this is a re-insertion, so must have worked before. Leaving the likely culprit as something already placed where we want to insert the vma. Following from that, for the case where we do something like a rebind in the middle of a vma, and one or both mapped ends are already compatible, we skip doing the rebind of those vma and set next/prev to NULL. As well as then adjust the original unmap va range, to avoid unmapping the ends. However, if we trigger the unwind path, we end up with three va, with the two ends never being removed and the original va range in the middle still being the shrunken size. If this occurs, one failure mode is when another unwind op needs to interact with that range, which can happen with a vector of binds. For example, if we need to re-insert something in place of the original va. In this case the va is still the shrunken version, so when removing it and then doing a re-insert it can overlap with the ends, which were never removed, triggering a warning like above, plus leaving the vm in a bad state. With that, we need two things here: 1) Stop nuking the prev/next tracking for the skip cases. Instead relying on checking for skip prev/next, where needed. That way on the unwind path, we now correctly remove both ends. 2) Undo the unmap va shrinkage, on the unwind path. With the two ends now removed the unmap va should expand back to the original size again, before re-insertion. v2: - Update the explanation in the commit message, based on an actual IGT of triggering this issue, rather than conjecture. - Also undo the unmap shrinkage, for the skip case. With the two ends now removed, the original unmap va range should expand back to the original range. v3: - Track the old start/range separately. vma_size/start() uses the va info directly. (cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31479
EUVD
EUVD-2026-24838
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.8
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.8.1 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's drm/xe component, specifically related to tracking remap previous and next virtual memory areas (vma) during 3D workloads. The issue arises when a rebind operation occurs in the middle of a vma, and one or both mapped ends are compatible and skipped for rebind. This causes the previous and next tracking pointers to be set to NULL, and the original unmap virtual address range is shrunk to avoid unmapping the ends.

If an unwind path is triggered, it can leave three virtual address ranges where the two ends are never removed, and the middle range remains shrunken. Subsequent operations that try to re-insert or interact with these ranges may cause overlaps, triggering warnings and leaving the virtual memory in an inconsistent or bad state.

The fix involves two main changes: 1) preserving the prev/next tracking pointers instead of nuking them during skip cases, allowing correct removal of both ends during unwind, and 2) undoing the unmap virtual address shrinkage on the unwind path so the unmap range expands back to its original size before re-insertion.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel's virtual memory management for GPU 3D workloads to enter an inconsistent state. Specifically, it can lead to overlapping virtual memory areas and warnings during GPU operations.

The impact includes potential instability or crashes in GPU-related processes, which may affect system reliability and performance during 3D workloads. It could also lead to unexpected behavior in applications relying on the drm/xe driver for GPU memory management.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the Linux kernel logs for specific warning messages related to the drm/xe driver. The presence of warnings such as the following indicates the issue:

  • [ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925

To detect this on your system, you can use commands to check the kernel log for these warnings. For example:

  • sudo dmesg | grep 'drivers/gpu/drm/xe/xe_vm.c'
  • sudo journalctl -k | grep 'vm_bind_ioctl_ops_unwind'

These commands will help identify if the kernel has logged warnings related to this vulnerability, indicating that the issue may be present.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by changes that ensure proper tracking and handling of virtual memory areas (vma) during 3D workloads involving the drm/xe driver.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability, specifically one that contains the commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac or later.
  • Monitor kernel logs for the warning messages to detect if the issue is occurring before applying the update.
  • If updating the kernel immediately is not possible, consider limiting or avoiding workloads that trigger the drm/xe driver operations involved in this vulnerability.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart