Description
In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Unlink NV12 planes earlier

unlink_nv12_plane() will clobber parts of the plane state
potentially already set up by plane_atomic_check(), so we
must make sure not to call the two in the wrong order.
The problem happens when a plane previously selected as
a Y plane is now configured as a normal plane by user space.
plane_atomic_check() will first compute the proper plane
state based on the userspace request, and unlink_nv12_plane()
later clears some of the state.

This used to work on account of unlink_nv12_plane() skipping
the state clearing based on the plane visibility. But I removed
that check, thinking it was an impossible situation. Now when
that situation happens unlink_nv12_plane() will just WARN
and proceed to clobber the state.

Rather than reverting to the old way of doing things, I think
it's more clear if we unlink the NV12 planes before we even
compute the new plane state.

(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel data corruption leading to potential crashes
Action: Apply Patch
AI Analysis

Impact

The unlink_nv12_plane() routine in the Intel i915 DRM driver overwrites parts of the plane state that have already been established by plane_atomic_check(). This behavior aligns with CWE‑366, which denotes unsafe handling of internal state that can result in corruption. The consequence is a warning followed by kernel data structure corruption, potentially causing crashes or undefined behavior within the graphics subsystem and denying service for processes that rely on the DRM interface.

Affected Systems

Vulnerable kernels include Linux 6.15 and all 7.0 release‑candidate builds (rc1 through rc7). The flaw manifests on systems equipped with Intel i915 graphics hardware that interact with the DRM subsystem.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity. An EPSS score of less than 1 % indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local user who can supply a DRM request that triggers the plane type change, making the attack vector local. An attacker would need to drive the driver into the problematic state transition; successful exploitation could crash the kernel or cause a denial of service for all graphics users.

Generated by OpenCVE AI on April 28, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the fix for unlink_nv12_plane(), such as the latest 6.15 patch release or any 7.x release that incorporates the patch.
  • If an immediate kernel upgrade is not possible, restrict unprivileged users’ access to /dev/dri/* so that only trusted accounts can interact with the graphics subsystem until the patch is applied.
  • Monitor kernel logs for WARN messages containing unlink_nv12_plane() and investigate any such occurrences to confirm that the flaw has not been triggered.

Generated by OpenCVE AI on April 28, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/i915: Unlink NV12 planes earlier unlink_nv12_plane() will clobber parts of the plane state potentially already set up by plane_atomic_check(), so we must make sure not to call the two in the wrong order. The problem happens when a plane previously selected as a Y plane is now configured as a normal plane by user space. plane_atomic_check() will first compute the proper plane state based on the userspace request, and unlink_nv12_plane() later clears some of the state. This used to work on account of unlink_nv12_plane() skipping the state clearing based on the plane visibility. But I removed that check, thinking it was an impossible situation. Now when that situation happens unlink_nv12_plane() will just WARN and proceed to clobber the state. Rather than reverting to the old way of doing things, I think it's more clear if we unlink the NV12 planes before we even compute the new plane state. (cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)
Title drm/i915: Unlink NV12 planes earlier
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:21.787Z

Reserved: 2026-03-09T15:48:24.117Z

Link: CVE-2026-31571

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:31.653

Modified: 2026-04-27T20:33:43.247

Link: CVE-2026-31571

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31571 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses