{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Input: uinput - fix circular locking dependency with ff-core",
    "id" : "2461558",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461558"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-833",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nInput: uinput - fix circular locking dependency with ff-core\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\nff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex\nThe cycle is caused by four lock acquisition paths:\n1. ff upload: input_ff_upload() holds ff->mutex and calls\nuinput_dev_upload_effect() -> uinput_request_submit() ->\nuinput_request_send(), which acquires udev->mutex.\n2. device create: uinput_ioctl_handler() holds udev->mutex and calls\nuinput_create_device() -> input_register_device(), which acquires\ninput_mutex.\n3. device register: input_register_device() holds input_mutex and\ncalls kbd_connect() -> input_register_handle(), which acquires\ndev->mutex.\n4. evdev release: evdev_release() calls input_flush_device() under\ndev->mutex, which calls input_ff_flush() acquiring ff->mutex.\nFix this by introducing a new state_lock spinlock to protect\nudev->state and udev->dev access in uinput_request_send() instead of\nacquiring udev->mutex.  The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep).  This\nbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev->state in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\nAdditionally, move init_completion(&request->done) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot().  Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\nLock ordering after the fix:\nff->mutex -> state_lock (spinlock, leaf)\nudev->mutex -> state_lock (spinlock, leaf)\nudev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)", "A flaw was found in the Linux kernel, specifically within the uinput (user input) and ff-core (force feedback core) modules. A local user, by interacting with a force-feedback gamepad through uinput, can trigger a condition where different parts of the system wait indefinitely for each other to release resources, known as a circular locking dependency. This can lead to a system deadlock, causing the affected system to become unresponsive." ],
  "statement" : "uinput force-feedback and core FF locking had a circular dependency; upstream reorders acquisition to prevent ABBA deadlocks. Red Hat notes impact is local deadlock when combining uinput with FF devices.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31667\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31667\nhttps://lore.kernel.org/linux-cve-announce/2026042406-CVE-2026-31667-a1a7@gregkh/T" ],
  "name" : "CVE-2026-31667",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the uinput module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}