CVE-2026-31603 - Vulnerability Details

- staging: sm750fb: fix division by zero in ps_to_hz()

Description

In the Linux kernel, the following vulnerability has been resolved:

staging: sm750fb: fix division by zero in ps_to_hz()

ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating
that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO
causes a division by zero.

Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent
with other framebuffer drivers.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the framebuffer driver sm750fb contains a function ps_to_hz that divides by the pixclock value supplied by the FBIOPUT_VSCREENINFO ioctl. When a zero pixclock is passed, the driver performs an illicit division by zero. This arithmetic error (CWE‑369) could lead to a kernel crash or system reboot (inferred). The absence of validation allows an attacker to trigger a denial of service.

Affected Systems

The vulnerability applies to any Linux kernel build that includes the staging sm750fb framebuffer driver before the patch is applied. No specific kernel versions are enumerated, so all builds containing this code are potentially affected.

Risk and Exploitability

The EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of exploitation. The CVSS score is 5.5, indicating moderate severity. The likely attack vector involves a privileged user issuing the FBIOPUT_VSCREENINFO ioctl to set pixclock to zero, which can trigger a division by zero. Based on the description, it is inferred that the ioctl typically requires privileged or root access. Once patched, the driver rejects zero pixclock values, preventing the division by zero. The impact is high in environments with the sm750fb driver but the overall risk remains modest due to the low exploitation probability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< 124a43550db8a74eef080cd4573a4904efe67029
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< b285a8f3bbb821a93eb37c2740a68ca1d7112a59
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< 3300b049693138852a4c6738b5f1194a1ee91ddd
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< 779412e0e391fd4a0d12e1d1adaa7bf043de62d7
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< 2f640c6043aeab31a2f607d7605271860c3b11df
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< 1412ba36597a82e928f20047f41d6c6582dafe8a
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< 6144895a4335a2491c282931f1f2fa610b86339f
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< daf6733bd7c4c5015b431739ac29b0e29021096b
`81dee67e215b23f0c98182eece122b906d35765a`	affected	< 75a1621e4f91310673c9acbcbb25c2a7ff821cd3

Linux

affected

Version	Status	Constraints
`4.1`	affected	—
`0`	unaffected	< 4.1
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[81dee67e215b23f0c98182eece122b906d35765a,779412e0e391fd4a0d12e1d1adaa7bf043de62d7)`	affected	code_commit	—
`[81dee67e215b23f0c98182eece122b906d35765a,2f640c6043aeab31a2f607d7605271860c3b11df)`	affected	code_commit	—
`[81dee67e215b23f0c98182eece122b906d35765a,1412ba36597a82e928f20047f41d6c6582dafe8a)`	affected	code_commit	—
`[81dee67e215b23f0c98182eece122b906d35765a,6144895a4335a2491c282931f1f2fa610b86339f)`	affected	code_commit	—
`[81dee67e215b23f0c98182eece122b906d35765a,daf6733bd7c4c5015b431739ac29b0e29021096b)`	affected	code_commit	—
`[81dee67e215b23f0c98182eece122b906d35765a,75a1621e4f91310673c9acbcbb25c2a7ff821cd3)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.1`	affected	generic	—
`[0,4.1)`	unaffected	generic	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*)`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the sm750fb driver patch.
If the kernel cannot be updated immediately, remove or restrict access to the /dev/fb* devices for non‑privileged users to prevent the FBIOPUT_VSCREENINFO ioctl from being invoked.
Audit system usage of framebuffer devices and monitor for attempts to set pixclock to zero, enforcing privilege boundaries around framebuffer ioctl calls.

Generated by OpenCVE AI on April 29, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/124a43550db8a74eef080cd4573a4904efe67029
https://git.kernel.org/stable/c/1412ba36597a82e928f20047f41d6c6582dafe8a
https://git.kernel.org/stable/c/2f640c6043aeab31a2f607d7605271860c3b11df
https://git.kernel.org/stable/c/3300b049693138852a4c6738b5f1194a1ee91ddd
https://git.kernel.org/stable/c/6144895a4335a2491c282931f1f2fa610b86339f
https://git.kernel.org/stable/c/75a1621e4f91310673c9acbcbb25c2a7ff821cd3
https://git.kernel.org/stable/c/779412e0e391fd4a0d12e1d1adaa7bf043de62d7
https://git.kernel.org/stable/c/b285a8f3bbb821a93eb37c2740a68ca1d7112a59
https://git.kernel.org/stable/c/daf6733bd7c4c5015b431739ac29b0e29021096b
https://lore.kernel.org/linux-cve-announce/2026042419-CVE-2026-31603-bfce@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31603
https://www.cve.org/CVERecord?id=CVE-2026-31603

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/124a43550db8a74eef080cd4573a4904efe67029 https://git.kernel.org/stable/c/3300b049693138852a4c6738b5f1194a1ee91ddd https://git.kernel.org/stable/c/b285a8f3bbb821a93eb37c2740a68ca1d7112a59

Wed, 29 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/779412e0e391fd4a0d12e1d1adaa7bf043de62d7

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/75a1621e4f91310673c9acbcbb25c2a7ff821cd3

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-369
References		https://lore.kernel.org/linux-cve-announce/2026042419-CVE-2026-31603-bfce@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31603 https://www.cve.org/CVERecord?id=CVE-2026-31603

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: staging: sm750fb: fix division by zero in ps_to_hz() ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO causes a division by zero. Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent with other framebuffer drivers.
Title		staging: sm750fb: fix division by zero in ps_to_hz()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1412ba36597a82e928f20047f41d6c6582dafe8a https://git.kernel.org/stable/c/2f640c6043aeab31a2f607d7605271860c3b11df https://git.kernel.org/stable/c/6144895a4335a2491c282931f1f2fa610b86339f https://git.kernel.org/stable/c/daf6733bd7c4c5015b431739ac29b0e29021096b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:26.601Z

Updated: 2026-06-01T16:12:25.229Z

Reserved: 2026-03-09T15:48:24.122Z

Link: CVE-2026-31603

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-04-24T15:16:39.453

Modified: 2026-06-01T17:16:51.030

Link: CVE-2026-31603

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31603 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses

CWE-369

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object