CVE-2026-31488 Overview
A use-after-free vulnerability has been identified in the Linux kernel's AMD display driver (drm/amd/display) related to Display Stream Compression (DSC) validation during atomic state checks. The vulnerability occurs when the CRTC state mode_changed flag is incorrectly reset to false during DSC configuration recomputation, leading to memory corruption issues including memory leaks and use-after-free conditions.
Critical Impact
This vulnerability can result in kernel memory corruption through use-after-free conditions in the AMD display driver, potentially leading to system instability, denial of service, or privilege escalation in affected Linux systems with AMD graphics hardware.
Affected Products
- Linux kernel with AMD display driver (drm/amd/display)
- Systems with AMD GPUs utilizing Display Stream Compression (DSC)
- Configurations involving MST (Multi-Stream Transport) and integrated displays
Discovery Timeline
- April 22, 2026 - CVE-2026-31488 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31488
Vulnerability Analysis
The vulnerability was introduced by commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), which added DSC pre-validation in the atomic check phase. The core issue lies in improper state management during Display Stream Compression validation in multi-display scenarios.
When a system experiences simultaneous changes to MST/DSC configuration and unrelated mode changes (such as enabling/disabling HDR on an integrated laptop panel while connecting external DP-MST screens), the driver incorrectly resets the mode_changed flag. This causes the driver to lose track of streams that need proper lifecycle management.
The memory corruption manifests in two ways:
Memory Leak: When dm_update_crtc_state() creates new streams for CRTCs with DSC-independent mode changes but the mode_changed flag is dropped, amdgpu_dm_commit_streams() never releases the old stream reference.
Use-After-Free: Subsequently, amdgpu_dm_atomic_commit_tail() fails to acquire a reference to the new stream, causing a use-after-free when the stream is disabled later, as evidenced by the KASAN error in dc_stream_release().
Root Cause
The root cause stems from the pre_validate_dsc() function unconditionally resetting the mode_changed flag to false when DSC configuration recomputation results in no timing change for a particular stream. This logic fails to account for scenarios where unrelated mode changes are pending in the same KMS (Kernel Mode Setting) commit.
The function lacks awareness of whether a CRTC has pending mode changes that are independent of DSC configuration, leading to premature flag clearing that disrupts the atomic commit state machine's ability to properly manage stream references.
Attack Vector
The vulnerability can be triggered through local access by manipulating display configurations. An attacker with the ability to modify display settings could potentially exploit this vulnerability by:
- Initiating a mode change on an integrated display (e.g., HDR toggle)
- Simultaneously connecting or reconfiguring external DP-MST displays
- Triggering the race condition where DSC validation incorrectly clears the mode_changed flag
The KASAN stack trace indicates the use-after-free occurs during workqueue processing (drm_mode_rmfb_work_fn), specifically when releasing DC streams during atomic state destruction.
The kernel panic trace shows the corruption path:
BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]
Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977
Workqueue: events drm_mode_rmfb_work_fn
Call Trace:
dc_stream_release+0x25/0x90 [amdgpu]
dc_state_destruct+0x14d/0x5c0 [amdgpu]
dc_state_release.part.0+0x4e/0x130 [amdgpu]
dm_atomic_destroy_state+0x3f/0x70 [amdgpu]
Detection Methods for CVE-2026-31488
Indicators of Compromise
- Kernel KASAN reports indicating use-after-free in dc_stream_release or related AMD display functions
- System crashes or kernel panics during display configuration changes, particularly when connecting/disconnecting external monitors
- Memory corruption warnings in kernel logs referencing the amdgpu or drm/amd/display modules
- Unexpected display behavior or flickering when using MST hubs with multiple monitors
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) to detect memory corruption at runtime with verbose logging
- Monitor kernel logs for stack traces involving amdgpu_dm_commit_streams, pre_validate_dsc, or dc_stream_release functions
- Deploy kernel debugging tools to track atomic commit state transitions in the DRM subsystem
- Use ftrace or eBPF probes to monitor the mode_changed flag state during display configuration changes
Monitoring Recommendations
- Configure kernel log monitoring for BUG: and KASAN: prefixes related to the amdgpu driver
- Implement automated alerting for kernel oops or panics in production environments with AMD graphics hardware
- Monitor system stability metrics during display hotplug events on affected systems
- Track memory usage patterns in the kernel display subsystem for anomalous growth indicative of leaks
How to Mitigate CVE-2026-31488
Immediate Actions Required
- Apply the kernel patches from the official stable branches as soon as possible
- Consider disabling DSC on affected systems as a temporary workaround if patches cannot be immediately applied
- Avoid simultaneous display configuration changes and MST device hotplugging on unpatched systems
- Monitor systems with AMD GPUs and multiple display configurations for signs of memory corruption
Patch Information
The vulnerability has been resolved in the Linux kernel stable branches. The fix involves preserving the original mode_changed flag value before DSC configuration validation and restoring it appropriately in pre_validate_dsc() rather than unconditionally clearing it.
The following kernel patches address this vulnerability:
The fix was cherry-picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b.
Workarounds
- Disable Display Stream Compression via kernel boot parameters or driver configuration until patching is complete
- Avoid using MST hubs with multiple external displays on laptops with integrated AMD graphics until patches are applied
- Disconnect external MST displays before making display mode changes (such as HDR toggles) on the integrated panel
- Consider using single-stream display configurations to reduce the attack surface
# Temporary workaround: Disable DSC via kernel module parameter
# Add to /etc/modprobe.d/amdgpu.conf
options amdgpu dc=1 dsc=0
# Verify current DSC status
cat /sys/module/amdgpu/parameters/dsc
# Apply kernel update on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-generic
# Apply kernel update on RHEL/Fedora systems
sudo dnf update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
