CVE-2026-31656

EUVD-2026-25549

24.04.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat

A use-after-free / refcount underflow is possible when the heartbeat
worker and intel_engine_park_heartbeat() race to release the same
engine->heartbeat.systole request.

The heartbeat worker reads engine->heartbeat.systole and calls
i915_request_put() on it when the request is complete, but clears
the pointer in a separate, non-atomic step. Concurrently, a request
retirement on another CPU can drop the engine wakeref to zero, triggering
__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat
timer is pending at that point, cancel_delayed_work() returns true and
intel_engine_park_heartbeat() reads the stale non-NULL systole pointer
and calls i915_request_put() on it again, causing a refcount underflow:

```
<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]
<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0
...
<4> [487.222707] Call Trace:
<4> [487.222711]  <TASK>
<4> [487.222716]  intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]
<4> [487.223115]  intel_engine_park_heartbeat+0x25/0x40 [i915]
<4> [487.223566]  __engine_park+0xb9/0x650 [i915]
<4> [487.223973]  ____intel_wakeref_put_last+0x2e/0xb0 [i915]
<4> [487.224408]  __intel_wakeref_put_last+0x72/0x90 [i915]
<4> [487.224797]  intel_context_exit_engine+0x7c/0x80 [i915]
<4> [487.225238]  intel_context_exit+0xf1/0x1b0 [i915]
<4> [487.225695]  i915_request_retire.part.0+0x1b9/0x530 [i915]
<4> [487.226178]  i915_request_retire+0x1c/0x40 [i915]
<4> [487.226625]  engine_retire+0x122/0x180 [i915]
<4> [487.227037]  process_one_work+0x239/0x760
<4> [487.227060]  worker_thread+0x200/0x3f0
<4> [487.227068]  ? __pfx_worker_thread+0x10/0x10
<4> [487.227075]  kthread+0x10d/0x150
<4> [487.227083]  ? __pfx_kthread+0x10/0x10
<4> [487.227092]  ret_from_fork+0x3d4/0x480
<4> [487.227099]  ? __pfx_kthread+0x10/0x10
<4> [487.227107]  ret_from_fork_asm+0x1a/0x30
<4> [487.227141]  </TASK>
```

Fix this by replacing the non-atomic pointer read + separate clear with
xchg() in both racing paths. xchg() is a single indivisible hardware
instruction that atomically reads the old pointer and writes NULL. This
guarantees only one of the two concurrent callers obtains the non-NULL
pointer and performs the put, the other gets NULL and skips it.

(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)

Wrap or Wraparound

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.5.1 ≤ 𝑥 < 5.15.203
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.169
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.135
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.82
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.23
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.13
linux	linux_kernel	5.5
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5
linux	linux_kernel	7.0:rc6
linux	linux_kernel	7.0:rc7

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

dlm-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

gfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-64kb

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-default

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-default-base

suse enterprise server 15 SP4	5.14.21-150400.24.219.1.150400.24.110.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1.150600.12.52.1 fixed

kernel-docs

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-macros

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-obs-build

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-source

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-syms

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

ocfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

reiserfs-kmp-default

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

Amazon Linux Releases

Amazon Package

Release

bpftool

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

bpftool-debuginfo

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

bpftool6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

bpftool6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

bpftool6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-debuginfo

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-debuginfo-common-aarch64

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-debuginfo-common-x86_64

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-devel

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-headers

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-livepatch-6.1.170-210.320

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.12.83-113.160

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.18.25-55.108

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-modules-extra

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-modules-extra-common

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-tools

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-tools-debuginfo

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel-tools-devel

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

kernel6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo-common-aarch64

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo-common-x86_64

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-devel

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-headers

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-modules-extra

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-modules-extra-common

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools-devel

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

perf

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

perf-debuginfo

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

perf6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

perf6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

python3-perf

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

python3-perf-debuginfo

Amazon Linux 2023

1:6.1.170-210.320.amzn2023

fixed

python3-perf6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

python3-perf6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

Azure Linux Releases

Azure Package

Release

kernel

Azure Linux 3.0

0:6.6.137.1-1.azl3

fixed

Common Weakness Enumeration

CWE-191 - Integer Underflow (Wrap or Wraparound)
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, welche zu einem Denial-of-Service-Zustand, einer Rechteausweitung, der Ausführung von Code oder einer Speicherbeschädigung führen könnten.
Published: 2026-04-26T22:00:00+00:00

References

https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1

https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657

https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061

https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68

https://git.kernel.org/stable/c/82034799c6c14b3104668878c3f3e5786f777126

https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4

https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7

https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee