Bug 2461562 (CVE-2026-31571) - CVE-2026-31571 kernel: drm/i915: Unlink NV12 planes earlier
Summary: CVE-2026-31571 kernel: drm/i915: Unlink NV12 planes earlier
Keywords:
Status: NEW
Alias: CVE-2026-31571
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 15:08 UTC by OSIDB Bzimport
Modified: 2026-04-24 18:06 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 15:08:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Unlink NV12 planes earlier

unlink_nv12_plane() will clobber parts of the plane state
potentially already set up by plane_atomic_check(), so we
must make sure not to call the two in the wrong order.
The problem happens when a plane previously selected as
a Y plane is now configured as a normal plane by user space.
plane_atomic_check() will first compute the proper plane
state based on the userspace request, and unlink_nv12_plane()
later clears some of the state.

This used to work on account of unlink_nv12_plane() skipping
the state clearing based on the plane visibility. But I removed
that check, thinking it was an impossible situation. Now when
that situation happens unlink_nv12_plane() will just WARN
and proceed to clobber the state.

Rather than reverting to the old way of doing things, I think
it's more clear if we unlink the NV12 planes before we even
compute the new plane state.

(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)
Comment 1 Keith Grant 2026-04-24 18:03:48 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042402-CVE-2026-31571-41f9@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.