CVE-2026-31656 Overview
A use-after-free and refcount underflow vulnerability has been identified in the Linux kernel's Intel i915 graphics driver. The flaw exists in the intel_engine_park_heartbeat function within the DRM (Direct Rendering Manager) subsystem, where a race condition between the heartbeat worker and the engine parking mechanism can lead to a double-free scenario on the engine->heartbeat.systole request object.
The vulnerability occurs when the heartbeat worker reads and attempts to release the engine->heartbeat.systole pointer using i915_request_put() while simultaneously, on another CPU, request retirement can drop the engine wakeref to zero. This triggers __engine_park() followed by intel_engine_park_heartbeat(), which may also attempt to release the same pointer if the heartbeat timer was pending, resulting in a refcount underflow.
Critical Impact
Successful exploitation could allow a local attacker with low privileges to trigger a use-after-free condition, potentially leading to privilege escalation, arbitrary code execution, or system crashes on systems with Intel integrated graphics.
Affected Products
- Linux Kernel version 5.5 and later
- Linux Kernel 7.0 release candidates (rc1 through rc7)
- Systems utilizing Intel i915 graphics drivers (DRM/KMS subsystem)
Discovery Timeline
- 2026-04-24 - CVE-2026-31656 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31656
Vulnerability Analysis
This vulnerability is classified as CWE-191 (Integer Underflow), though it manifests as a use-after-free condition through a refcount underflow mechanism. The core issue stems from a Time-of-Check Time-of-Use (TOCTOU) race condition in the i915 driver's heartbeat management code.
The heartbeat mechanism in the i915 driver monitors GPU engine health by periodically submitting "heartbeat" requests. When an engine is parked due to inactivity, the driver must safely clean up any pending heartbeat state. The vulnerable code path involves two concurrent operations that can both attempt to decrement the reference count on the same systole request object.
The attack requires local access to the system, and while it has low attack complexity, exploitation timing is critical due to the race condition nature of the vulnerability. An attacker could potentially craft workloads that increase the likelihood of triggering the race window, particularly on multi-core systems where the heartbeat worker and engine retirement can execute in parallel.
Root Cause
The root cause is a non-atomic read-then-clear operation on the engine->heartbeat.systole pointer. The original implementation performed these as two separate steps:
- Read the pointer value to check if it's non-NULL
- Clear the pointer by setting it to NULL
- Call i915_request_put() on the retrieved pointer
This sequence creates a race window where both the heartbeat worker and intel_engine_park_heartbeat() can obtain the same non-NULL pointer before either has a chance to clear it, leading to both paths calling i915_request_put() on the same request and causing a refcount underflow.
Attack Vector
The attack vector is local, requiring an attacker to have low-level access to a system running a vulnerable Linux kernel with Intel i915 graphics hardware. The exploitation scenario involves:
The attacker can manipulate GPU workloads to create conditions where the heartbeat timer is active while engine retirement is occurring. By carefully timing these operations on a multi-core system, an attacker could reliably trigger the race condition. The resulting refcount underflow causes the kernel to access freed memory when the refcount erroneously reaches zero, potentially allowing the attacker to corrupt kernel memory or hijack control flow.
The kernel call trace documented in the vulnerability report shows the race manifesting through the i915-unordered workqueue during engine_retire operations, with the crash occurring at refcount_warn_saturate when the underflow is detected.
Detection Methods for CVE-2026-31656
Indicators of Compromise
- Kernel warnings or panics with refcount_warn_saturate in the call stack
- Stack traces showing intel_engine_park_heartbeat followed by __engine_park in kernel logs
- Unexpected system crashes or freezes when GPU workloads are running on Intel integrated graphics
- WARN or BUG messages in dmesg output related to i915 request reference counting
Detection Strategies
- Monitor kernel logs (/var/log/kern.log, dmesg) for refcount saturation warnings involving i915 driver functions
- Implement kernel tracing (ftrace) to monitor intel_engine_park_heartbeat and i915_request_put function calls
- Deploy endpoint detection rules that alert on kernel oops or panics with i915-related stack traces
- Use SentinelOne's kernel integrity monitoring to detect anomalous behavior in DRM subsystem operations
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture full system state during exploitation attempts
- Configure alerting for any refcount_warn_saturate messages in system logs
- Monitor for unusual GPU engine park/unpark frequency patterns that could indicate exploitation attempts
- Implement rate limiting alerts for i915-related kernel warnings to detect potential denial-of-service attacks
How to Mitigate CVE-2026-31656
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix (commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42 or its backports)
- On systems that cannot be immediately patched, consider disabling the i915 heartbeat mechanism if GPU performance monitoring is not critical
- Monitor affected systems closely for signs of exploitation until patches can be applied
- Restrict local access to systems with Intel integrated graphics to trusted users only
Patch Information
The fix replaces the non-atomic pointer read and separate clear operations with xchg() in both racing code paths. The xchg() instruction is a single, indivisible hardware operation that atomically reads the old pointer value and writes NULL in one step. This guarantees that only one of the two concurrent callers obtains the non-NULL pointer and performs the reference count decrement, while the other receives NULL and safely skips the operation.
Patches are available through the following kernel git commits:
- Stable kernel commit 2af8b200
- Stable kernel commit 455d98ed
- Stable kernel commit 4c71fd09
- Stable kernel commit 70d3e622
- Stable kernel commit 8ce44d28
- Stable kernel commit a00e92bf
- Stable kernel commit ca3f48c3
Workarounds
- Disable the i915 heartbeat feature by setting the i915.enable_heartbeat=0 kernel boot parameter (note: this may affect GPU hang detection)
- Limit system exposure by restricting physical and network access to affected systems
- On multi-user systems, implement strict user privilege controls to minimize the attack surface for local exploitation
- Consider using alternative graphics drivers (e.g., modesetting) if Intel GPU-specific features are not required
# Temporary workaround: Disable i915 heartbeat at boot
# Add to kernel command line in GRUB configuration
GRUB_CMDLINE_LINUX="i915.enable_heartbeat=0"
# After modifying /etc/default/grub, update GRUB configuration
sudo update-grub
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
