{
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat",
    "id" : "2461525",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461525"
  },
  "cwe" : "CWE-911",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine->heartbeat.systole request.\nThe heartbeat worker reads engine->heartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n```\n<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]\n<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n<4> [487.222707] Call Trace:\n<4> [487.222711]  <TASK>\n<4> [487.222716]  intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n<4> [487.223115]  intel_engine_park_heartbeat+0x25/0x40 [i915]\n<4> [487.223566]  __engine_park+0xb9/0x650 [i915]\n<4> [487.223973]  ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n<4> [487.224408]  __intel_wakeref_put_last+0x72/0x90 [i915]\n<4> [487.224797]  intel_context_exit_engine+0x7c/0x80 [i915]\n<4> [487.225238]  intel_context_exit+0xf1/0x1b0 [i915]\n<4> [487.225695]  i915_request_retire.part.0+0x1b9/0x530 [i915]\n<4> [487.226178]  i915_request_retire+0x1c/0x40 [i915]\n<4> [487.226625]  engine_retire+0x122/0x180 [i915]\n<4> [487.227037]  process_one_work+0x239/0x760\n<4> [487.227060]  worker_thread+0x200/0x3f0\n<4> [487.227068]  ? __pfx_worker_thread+0x10/0x10\n<4> [487.227075]  kthread+0x10d/0x150\n<4> [487.227083]  ? __pfx_kthread+0x10/0x10\n<4> [487.227092]  ret_from_fork+0x3d4/0x480\n<4> [487.227099]  ? __pfx_kthread+0x10/0x10\n<4> [487.227107]  ret_from_fork_asm+0x1a/0x30\n<4> [487.227141]  </TASK>\n```\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)", "A flaw was found in the Linux kernel's i915 graphics driver. A race condition exists between the heartbeat worker and `intel_engine_park_heartbeat()` functions when releasing an engine request. This can lead to a reference count (refcount) underflow, resulting in a use-after-free vulnerability. A local attacker could potentially exploit this to cause a denial of service." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31656\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31656\nhttps://lore.kernel.org/linux-cve-announce/2026042402-CVE-2026-31656-050b@gregkh/T" ],
  "name" : "CVE-2026-31656",
  "csaw" : false
}