CVE-2026-31781

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/ioc32: stop speculation on the drm_compat_ioctl path

The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < 46a60ee8956ef1975f00455f614761c7ecedc09daffected
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < 5bb398991f378ef74d90b14a6ea8b61ff96cc03aaffected
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < d59c5d8539662d95887b4564f3f72ad38076a2d5affected
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < 489f2ef2b908898d01df697dc4fe1476674be640affected
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < 4a41c2b18fc05d30b718d2602cac339eae710b34affected
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < f0e441be08a2eab10b2d06fccfa267ee599dd6b3affected
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < 27ef84bba9b9d7b03418c60fbc6069ea0e87b13caffected
LinuxLinux505b5240329b922f21f91d5b5d1e535c805eca6d < f8995c2df519f382525ca4bc90553ad2ec611067affected
LinuxLinuxabc60edcfc87771ff244763d4d19c67766f5dd0faffected
LinuxLinuxa2a840d6dcae960c2dfdf3fcb1b759e1b7d90663affected
LinuxLinux00279b505289f7529d9be2e78915d0483ffbd314affected
LinuxLinuxd04e6ea0cec9e7d6cba806508f657d2d0dc6cacfaffected
LinuxLinux7f3ebea19795eb38438cd3709fabf2afd53cf447affected
LinuxLinux3.16.63 < 3.17affected
LinuxLinux4.4.170 < 4.5affected
LinuxLinux4.9.148 < 4.10affected
LinuxLinux4.14.91 < 4.15affected
LinuxLinux4.19.13 < 4.20affected
LinuxLinux4.20affected
LinuxLinux0 < 4.20unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.134 <= 6.6.*unaffected
LinuxLinux6.12.81 <= 6.12.*unaffected
LinuxLinux6.18.22 <= 6.18.*unaffected
LinuxLinux6.19.12 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References