Description
In the Linux kernel, the following vulnerability has been resolved:

drm/ioc32: stop speculation on the drm_compat_ioctl path

The drm compat ioctl path takes a user controlled pointer, and then
dereferences it into a table of function pointers, the signature method
of spectre problems. Fix this up by calling array_index_nospec() on the
index to the function pointer list.
Published: 2026-05-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A user-controlled pointer in the drm_compat_ioctl path of the Linux kernel could be speculatively dereferenced into a table of function pointers, exposing the kernel to a Spectre‑type side‑channel attack. The vulnerability allows an attacker to influence speculative execution paths and potentially read or leak sensitive data during the execution of privileged code.

Affected Systems

All Linux kernels that include the drm/ioc32 component are affected, regardless of vendor, because the issue resides in the core kernel source. No specific version range is provided, but any kernel compiled with the drm compatibility layer prior to the commit that introduced array_index_nospec() is at risk.

Risk and Exploitability

The risk is a side‑channel data leak rather than direct control of kernel code. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating limited or no proof‑of‑concept exploitation yet. CVSS score is not provided, but a Spectre‑like flaw is traditionally considered high risk. Exploitation would require influencing speculative execution, which is a complex privilege‑escalation vector.

Generated by OpenCVE AI on May 2, 2026 at 07:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the array_index_nospec() protection in the drm compat ioctl path.
  • Reboot the system to ensure the updated kernel is active.
  • If a kernel update is not immediately possible, restrict or disable access to DRM ioctl interfaces to minimize the attack surface until the patch can be applied.

Generated by OpenCVE AI on May 2, 2026 at 07:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/ioc32: stop speculation on the drm_compat_ioctl path The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.
Title drm/ioc32: stop speculation on the drm_compat_ioctl path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:15:07.933Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31781

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:41.577

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses