CVE-2026-31540: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31540 Overview

CVE-2026-31540 is a Null Pointer Dereference vulnerability in the Linux kernel's Intel i915 graphics driver. The vulnerability exists in the drm/i915/gt subsystem where the set_default_submission() function pointer is dereferenced without first verifying it has been properly initialized. This condition occurs when the i915 driver firmware binaries are not present on the system, leaving the pointer unset while still being called during system suspend operations.

Critical Impact
Systems with Intel integrated graphics running affected kernel versions may experience kernel panics and system crashes during suspend/resume cycles when the i915 firmware is missing, leading to denial of service conditions.

Affected Products

Linux Kernel versions prior to patched releases
Linux Kernel 7.0 release candidates (rc1 through rc4)
Systems utilizing Intel i915 integrated graphics drivers

Discovery Timeline

April 24, 2026 - CVE-2026-31540 published to NVD
April 28, 2026 - Last updated in NVD database

Technical Details for CVE-2026-31540

Vulnerability Analysis

This vulnerability stems from a missing null pointer check in the Intel i915 graphics driver's submission handling code. During the system suspend sequence, the kernel invokes intel_engines_reset_default_submission() which iterates through graphics engines and calls their set_default_submission function pointers. When the i915 firmware binaries are absent from the system, this function pointer is never initialized but is still dereferenced, resulting in a kernel NULL pointer dereference.

The crash occurs specifically in the gt_sanitize() function path during late suspend operations. The kernel stack trace shows the vulnerability is triggered through the following call chain: i915_drm_suspend_late → i915_gem_suspend_late → intel_gt_unset_wedged → __intel_gt_unset_wedged → intel_engines_reset_default_submission. The RIP register shows 0x0, confirming the null pointer dereference when attempting to execute code at address zero.

Root Cause

The root cause is an improper validation issue (CWE-476: NULL Pointer Dereference) in the i915 driver code. The set_default_submission function pointer is conditionally initialized based on firmware availability, but the code that dereferences this pointer during suspend operations does not check whether initialization occurred. This creates a code path where a null function pointer can be invoked, causing an immediate kernel panic.

Attack Vector

This vulnerability requires local access to the system and is triggered under specific conditions:

The system must have Intel integrated graphics using the i915 driver
The i915 firmware binaries must be missing from the system (typically in /lib/firmware/i915/)
The system must enter a suspend state (PM suspend entry)

While this is not remotely exploitable, a local attacker with limited privileges could potentially trigger the vulnerability by initiating a system suspend, causing a denial of service condition. The vulnerability is particularly concerning for systems where firmware packages are incomplete or corrupted, as routine power management operations would cause system instability.

The kernel oops message clearly indicates the issue:

BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:0x0
Call Trace:
  intel_engines_reset_default_submission+0x42/0x60
  __intel_gt_unset_wedged+0x191/0x200
  intel_gt_unset_wedged+0x20/0x40
  gt_sanitize+0x15e/0x170
  i915_gem_suspend_late+0x6b/0x180

Detection Methods for CVE-2026-31540

Indicators of Compromise

Kernel oops messages containing BUG: kernel NULL pointer dereference during suspend operations
Stack traces referencing intel_engines_reset_default_submission in kernel logs
System crashes or unresponsive states when entering sleep or suspend modes
Missing i915 firmware files in /lib/firmware/i915/ directory combined with Intel graphics hardware

Detection Strategies

Monitor kernel logs (dmesg or /var/log/kern.log) for NULL pointer dereference errors involving i915 driver components
Implement automated scanning for missing firmware packages using package management tools
Use SentinelOne's kernel-level monitoring to detect anomalous driver behavior and crash conditions
Deploy auditd rules to monitor suspend/resume events and correlate with system stability issues

Monitoring Recommendations

Configure system monitoring to alert on kernel oops events, particularly those involving the i915 driver subsystem
Establish baseline firmware package inventories and alert when critical firmware files are missing
Implement crash dump collection to capture kernel state during failures for forensic analysis
Monitor for repeated suspend/resume failures that may indicate exploitation attempts or vulnerable configurations

How to Mitigate CVE-2026-31540

Immediate Actions Required

Update the Linux kernel to a patched version that includes the null pointer check before dereferencing
Verify that i915 firmware binaries are properly installed on systems with Intel integrated graphics
Temporarily disable suspend functionality on affected systems if patching is not immediately possible
Review system logs for evidence of prior exploitation or crashes related to this vulnerability

Patch Information

Multiple patches have been released across stable kernel branches to address this vulnerability. The fix adds a conditional check to verify that set_default_submission is non-null before dereferencing:

The patch was cherry-picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad.

Workarounds

Install the missing i915 firmware packages (typically linux-firmware or distribution-specific firmware packages)
Disable system suspend/hibernate functionality by masking the systemd sleep targets: systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
Blacklist the i915 module if Intel graphics are not required: add blacklist i915 to /etc/modprobe.d/blacklist.conf
For systems requiring graphics but not suspend, consider using alternative graphics drivers if available

bash

# Install missing firmware (Debian/Ubuntu)
sudo apt update && sudo apt install firmware-misc-nonfree linux-firmware

# Verify i915 firmware presence
ls -la /lib/firmware/i915/

# Disable suspend as temporary workaround
sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

# Re-enable after patching
sudo systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target

CVE-2026-31540 Overview

Critical Impact
Systems with Intel integrated graphics running affected kernel versions may experience kernel panics and system crashes during suspend/resume cycles when the i915 firmware is missing, leading to denial of service conditions.

Affected Products

Linux Kernel versions prior to patched releases
Linux Kernel 7.0 release candidates (rc1 through rc4)
Systems utilizing Intel i915 integrated graphics drivers

Discovery Timeline

April 24, 2026 - CVE-2026-31540 published to NVD
April 28, 2026 - Last updated in NVD database

Technical Details for CVE-2026-31540

Vulnerability Analysis

Root Cause

Attack Vector

This vulnerability requires local access to the system and is triggered under specific conditions:

The system must have Intel integrated graphics using the i915 driver
The i915 firmware binaries must be missing from the system (typically in /lib/firmware/i915/)
The system must enter a suspend state (PM suspend entry)

The kernel oops message clearly indicates the issue:

BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:0x0
Call Trace:
  intel_engines_reset_default_submission+0x42/0x60
  __intel_gt_unset_wedged+0x191/0x200
  intel_gt_unset_wedged+0x20/0x40
  gt_sanitize+0x15e/0x170
  i915_gem_suspend_late+0x6b/0x180

Detection Methods for CVE-2026-31540

Indicators of Compromise

Kernel oops messages containing BUG: kernel NULL pointer dereference during suspend operations
Stack traces referencing intel_engines_reset_default_submission in kernel logs
System crashes or unresponsive states when entering sleep or suspend modes
Missing i915 firmware files in /lib/firmware/i915/ directory combined with Intel graphics hardware

Detection Strategies

Monitor kernel logs (dmesg or /var/log/kern.log) for NULL pointer dereference errors involving i915 driver components
Implement automated scanning for missing firmware packages using package management tools
Use SentinelOne's kernel-level monitoring to detect anomalous driver behavior and crash conditions
Deploy auditd rules to monitor suspend/resume events and correlate with system stability issues

Monitoring Recommendations

Configure system monitoring to alert on kernel oops events, particularly those involving the i915 driver subsystem
Establish baseline firmware package inventories and alert when critical firmware files are missing
Implement crash dump collection to capture kernel state during failures for forensic analysis
Monitor for repeated suspend/resume failures that may indicate exploitation attempts or vulnerable configurations

How to Mitigate CVE-2026-31540

Immediate Actions Required

Update the Linux kernel to a patched version that includes the null pointer check before dereferencing
Verify that i915 firmware binaries are properly installed on systems with Intel integrated graphics
Temporarily disable suspend functionality on affected systems if patching is not immediately possible
Review system logs for evidence of prior exploitation or crashes related to this vulnerability

Patch Information

The patch was cherry-picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad.

Workarounds

Install the missing i915 firmware packages (typically linux-firmware or distribution-specific firmware packages)
Disable system suspend/hibernate functionality by masking the systemd sleep targets: systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
Blacklist the i915 module if Intel graphics are not required: add blacklist i915 to /etc/modprobe.d/blacklist.conf
For systems requiring graphics but not suspend, consider using alternative graphics drivers if available

bash

# Install missing firmware (Debian/Ubuntu)
sudo apt update && sudo apt install firmware-misc-nonfree linux-firmware

# Verify i915 firmware presence
ls -la /lib/firmware/i915/

# Disable suspend as temporary workaround
sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

# Re-enable after patching
sudo systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target

CVE-2026-31540: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31540 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-31540

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-31540

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-31540

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-31540: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31540 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-31540

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-31540

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-31540

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform