Common Weakness Enumeration

CWE-191

Allowed

Integer Underflow (Wrap or Wraparound)

Abstraction: Base · Status: Draft

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

642 vulnerabilities reference this CWE, most recent first.

GHSA-497J-F639-7WW4

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53
VLAI
Details

An integer underflow issue exists in ntfs-3g 2017.3.23. A local attacker could potentially exploit this by running /bin/ntfs-3g with specially crafted arguments from a specially crafted directory to cause a heap buffer overflow, resulting in a crash or the ability to execute arbitrary code. In installations where /bin/ntfs-3g is a setuid-root binary, this could lead to a local escalation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-05T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "An integer underflow issue exists in ntfs-3g 2017.3.23. A local attacker could potentially exploit this by running /bin/ntfs-3g with specially crafted arguments from a specially crafted directory to cause a heap buffer overflow, resulting in a crash or the ability to execute arbitrary code. In installations where /bin/ntfs-3g is a setuid-root binary, this could lead to a local escalation of privileges.",
  "id": "GHSA-497j-f639-7ww4",
  "modified": "2024-04-04T00:53:14Z",
  "published": "2022-05-24T16:47:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9755"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2019:3723"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2308"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3345"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202007-45"
    },
    {
      "type": "WEB",
      "url": "https://www.tuxera.com/community/release-history"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-498W-5J49-VQJG

Vulnerability from github – Published: 2023-10-04 14:44 – Updated: 2023-10-13 23:13
VLAI
Summary
gnark unsoundness in variable comparison / non-unique binary decomposition
Details

Impact

For some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of a, for small values there exists a second decomposition for a+r (where r is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined.

Internally, the comparison methods frontend.API.Cmp and frontend.API.IsLess used binary decomposition and checked the bitwise differences. This allows a malicious prover to construct a valid proof for a statement a < b even if a > b.

The issue impacts all users using API.Cmp or API.IsLess methods. Additionally, it impacts the users using bits.ToBinary or API.ToBinary methods if full-width decomposition is requested (the default behaviour if no options are given).

The issues does not impact comparison methods in field emulation (package std/math/emulated) and dedicated comparison package (std/math/cmp).

Patches

Fix has been implemented in pull request #835 and merged in commit 59a4087261a6c73f13e80d695c17b398c3d0934f to master branch. The release v0.9.0 and onwards include the fix.

The fix added additional comparison of the decomposed bit-vector to the modulus of the in-circuit values.

Workarounds

Upgrading to version v0.9.0 should fix the issue without needing to change the calls to value comparison methods.

Alternatively, users can use the std/math/cmp gadget, which additionally allows to bound the number of bits being compared, making the comparisons more efficient if the bound on the absolute difference of the values is known.

References

  • https://github.com/Consensys/gnark/pull/835
  • https://github.com/zkopru-network/zkopru/issues/116
  • https://github.com/iden3/circomlib/pull/48

Acknowledgement

The vulnerability was reported by Marcin Kostrzewa @ Reilabs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/consensys/gnark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-44378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-04T14:44:08Z",
    "nvd_published_at": "2023-10-09T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nFor some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second decomposition for `a+r` (where `r` is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined.\n\nInternally, the comparison methods `frontend.API.Cmp` and `frontend.API.IsLess` used binary decomposition and checked the bitwise differences. This allows a malicious prover to construct a valid proof for a statement `a \u003c b` even if `a \u003e b`.\n\nThe issue impacts all users using `API.Cmp` or `API.IsLess` methods. Additionally, it impacts the users using `bits.ToBinary` or `API.ToBinary` methods if full-width decomposition is requested (the default behaviour if no options are given).\n\nThe issues does not impact comparison methods in field emulation (package `std/math/emulated`) and dedicated comparison package (`std/math/cmp`).\n\n### Patches\n\nFix has been implemented in pull request #835 and merged in commit 59a4087261a6c73f13e80d695c17b398c3d0934f to master branch. The release v0.9.0 and onwards include the fix.\n\nThe fix added additional comparison of the decomposed bit-vector to the modulus of the in-circuit values.  \n\n### Workarounds\n\nUpgrading to version v0.9.0 should fix the issue without needing to change the calls to value comparison methods.\n\nAlternatively, users can use the `std/math/cmp` gadget, which additionally allows to bound the number of bits being compared, making the comparisons more efficient if the bound on the absolute difference of the values is known.\n\n### References\n\n* https://github.com/Consensys/gnark/pull/835\n* https://github.com/zkopru-network/zkopru/issues/116\n* https://github.com/iden3/circomlib/pull/48\n\n### Acknowledgement\n\nThe vulnerability was reported by [Marcin Kostrzewa](https://github.com/kustosz) @ [Reilabs](https://reilabs.io/).",
  "id": "GHSA-498w-5j49-vqjg",
  "modified": "2023-10-13T23:13:57Z",
  "published": "2023-10-04T14:44:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zkopru-network/zkopru/issues/116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark/pull/835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Consensys/gnark"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-498w-5j49-vqjg"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "gnark unsoundness in variable comparison / non-unique binary decomposition"
}

GHSA-49FP-955P-JX7M

Vulnerability from github – Published: 2024-10-09 15:32 – Updated: 2024-10-09 15:32
VLAI
Details

Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-09T15:15:14Z",
    "severity": "HIGH"
  },
  "details": "Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-49fp-955p-jx7m",
  "modified": "2024-10-09T15:32:20Z",
  "published": "2024-10-09T15:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47425"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/framemaker/apsb24-82.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4CC6-F2XJ-W7JX

Vulnerability from github – Published: 2023-11-03 06:36 – Updated: 2024-09-06 15:32
VLAI
Details

7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-03T04:15:20Z",
    "severity": "HIGH"
  },
  "details": "7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.",
  "id": "GHSA-4cc6-f2xj-w7jx",
  "modified": "2024-09-06T15:32:54Z",
  "published": "2023-11-03T06:36:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31102"
    },
    {
      "type": "WEB",
      "url": "https://ds-security.com/post/integer-overflow-in-7-zip-cve-2023-31102"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231110-0007"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269"
    },
    {
      "type": "WEB",
      "url": "https://www.7-zip.org/download.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1165"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4CPW-52R2-X798

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2025-04-11 03:57
VLAI
Details

Integer underflow in the asfrtp_parse_packet function in libavformat/rtpdec_asf.c in FFmpeg before 0.8.3 allows remote attackers to execute arbitrary code via a crafted ASF packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-4031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-05-09T10:33:00Z",
    "severity": "MODERATE"
  },
  "details": "Integer underflow in the asfrtp_parse_packet function in libavformat/rtpdec_asf.c in FFmpeg before 0.8.3 allows remote attackers to execute arbitrary code via a crafted ASF packet.",
  "id": "GHSA-4cpw-52r2-x798",
  "modified": "2025-04-11T03:57:30Z",
  "published": "2022-05-13T01:12:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4031"
    },
    {
      "type": "WEB",
      "url": "http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=c2a2ad133eb9d42361804a568dee336992349a5e"
    },
    {
      "type": "WEB",
      "url": "http://git.videolan.org/?p=ffmpeg.git%3Ba=shortlog%3Bh=n0.8.3"
    },
    {
      "type": "WEB",
      "url": "http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c2a2ad133eb9d42361804a568dee336992349a5e"
    },
    {
      "type": "WEB",
      "url": "http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n0.8.3"
    },
    {
      "type": "WEB",
      "url": "http://technet.microsoft.com/en-us/security/msvr/msvr11-012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4GHG-P426-JC5W

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2025-08-29 15:30
VLAI
Details

A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
  "id": "GHSA-4ghg-p426-jc5w",
  "modified": "2025-08-29T15:30:36Z",
  "published": "2022-05-24T17:28:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14361"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869142"
    },
    {
      "type": "WEB",
      "url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202012-01"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4488-2"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1418"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4GX4-W2XQ-PWMJ

Vulnerability from github – Published: 2025-10-21 12:31 – Updated: 2025-10-21 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()

This code checks "index" for an upper bound but it does not check for negatives. Change the type to unsigned to prevent underflows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:56Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()\n\nThis code checks \"index\" for an upper bound but it does not check for\nnegatives.  Change the type to unsigned to prevent underflows.",
  "id": "GHSA-4gx4-w2xq-pwmj",
  "modified": "2025-10-21T12:31:23Z",
  "published": "2025-10-21T12:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49199"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a495ef04d5f42e6f00eb2bec1ee9075e3d5a771"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87e0eacb176f9500c2063d140c0a1d7fa51ab8a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6dd8669b8299a3a536cd92a7069152a7704da1d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HGC-47XP-7M5F

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-02 03:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6/addrconf: fix a potential refcount underflow for idev

Now in addrconf_mod_rs_timer(), reference idev depends on whether rs_timer is not pending. Then modify rs_timer timeout.

There is a time gap in [1], during which if the pending rs_timer becomes not pending. It will miss to hold idev, but the rs_timer is activated. Thus rs_timer callback function addrconf_rs_timer() will be executed and put idev later without holding idev. A refcount underflow issue for idev can be caused by this.

if (!timer_pending(&idev->rs_timer))
    in6_dev_hold(idev);
      <--------------[1]
mod_timer(&idev->rs_timer, jiffies + when);

To fix the issue, hold idev if mod_timer() return 0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T14:15:41Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6/addrconf: fix a potential refcount underflow for idev\n\nNow in addrconf_mod_rs_timer(), reference idev depends on whether\nrs_timer is not pending. Then modify rs_timer timeout.\n\nThere is a time gap in [1], during which if the pending rs_timer\nbecomes not pending. It will miss to hold idev, but the rs_timer\nis activated. Thus rs_timer callback function addrconf_rs_timer()\nwill be executed and put idev later without holding idev. A refcount\nunderflow issue for idev can be caused by this.\n\n\tif (!timer_pending(\u0026idev-\u003ers_timer))\n\t\tin6_dev_hold(idev);\n\t\t  \u003c--------------[1]\n\tmod_timer(\u0026idev-\u003ers_timer, jiffies + when);\n\nTo fix the issue, hold idev if mod_timer() return 0.",
  "id": "GHSA-4hgc-47xp-7m5f",
  "modified": "2025-12-02T03:31:35Z",
  "published": "2025-09-15T15:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53189"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06a0716949c22e2aefb648526580671197151acc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f656e483eb4733d62f18dfb206a49b78f60f495"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ad31ce40e8182860b631e37209e93e543790b7c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/436b7cc7eae7851c184b671ed7a4a64c750b86f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/82abd1c37d3bf2a2658b34772c17a25a6f9cca42"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6395e32935d35e6f935e7caf1c2dac5a95943b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c7eeba47058532f6077d6a658e38b6698f6ae71a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df62fdcd004afa72ecbed0e862ebb983acd3aa57"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4J52-X36J-W2JW

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

In Arm software implementing the Armv8-M processors (all versions), the stack selection mechanism could be influenced by a stack-underflow attack in v8-M TrustZone based processors. An attacker can cause a change to the stack pointer used by the Secure World from a non-secure application if the stack is not initialized. This vulnerability affects only the software that is based on Armv8-M processors with the Security Extension.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16273"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-12T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Arm software implementing the Armv8-M processors (all versions), the stack selection mechanism could be influenced by a stack-underflow attack in v8-M TrustZone based processors. An attacker can cause a change to the stack pointer used by the Secure World from a non-secure application if the stack is not initialized. This vulnerability affects only the software that is based on Armv8-M processors with the Security Extension.",
  "id": "GHSA-4j52-x36j-w2jw",
  "modified": "2022-05-24T17:33:38Z",
  "published": "2022-05-24T17:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16273"
    },
    {
      "type": "WEB",
      "url": "https://developer.arm.com/support/arm-security-updates/armv8-m-stack-sealing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4J69-96H5-Q8G9

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat

A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request.

The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement on another CPU can drop the engine wakeref to zero, triggering __engine_park() -> intel_engine_park_heartbeat(). If the heartbeat timer is pending at that point, cancel_delayed_work() returns true and intel_engine_park_heartbeat() reads the stale non-NULL systole pointer and calls i915_request_put() on it again, causing a refcount underflow:

<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]
<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0
...
<4> [487.222707] Call Trace:
<4> [487.222711]  <TASK>
<4> [487.222716]  intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]
<4> [487.223115]  intel_engine_park_heartbeat+0x25/0x40 [i915]
<4> [487.223566]  __engine_park+0xb9/0x650 [i915]
<4> [487.223973]  ____intel_wakeref_put_last+0x2e/0xb0 [i915]
<4> [487.224408]  __intel_wakeref_put_last+0x72/0x90 [i915]
<4> [487.224797]  intel_context_exit_engine+0x7c/0x80 [i915]
<4> [487.225238]  intel_context_exit+0xf1/0x1b0 [i915]
<4> [487.225695]  i915_request_retire.part.0+0x1b9/0x530 [i915]
<4> [487.226178]  i915_request_retire+0x1c/0x40 [i915]
<4> [487.226625]  engine_retire+0x122/0x180 [i915]
<4> [487.227037]  process_one_work+0x239/0x760
<4> [487.227060]  worker_thread+0x200/0x3f0
<4> [487.227068]  ? __pfx_worker_thread+0x10/0x10
<4> [487.227075]  kthread+0x10d/0x150
<4> [487.227083]  ? __pfx_kthread+0x10/0x10
<4> [487.227092]  ret_from_fork+0x3d4/0x480
<4> [487.227099]  ? __pfx_kthread+0x10/0x10
<4> [487.227107]  ret_from_fork_asm+0x1a/0x30
<4> [487.227141]  </TASK>

Fix this by replacing the non-atomic pointer read + separate clear with xchg() in both racing paths. xchg() is a single indivisible hardware instruction that atomically reads the old pointer and writes NULL. This guarantees only one of the two concurrent callers obtains the non-NULL pointer and performs the put, the other gets NULL and skips it.

(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine-\u003eheartbeat.systole request.\n\nThe heartbeat worker reads engine-\u003eheartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -\u003e intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n\u003c4\u003e [487.221889] Workqueue: i915-unordered engine_retire [i915]\n\u003c4\u003e [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n\u003c4\u003e [487.222707] Call Trace:\n\u003c4\u003e [487.222711]  \u003cTASK\u003e\n\u003c4\u003e [487.222716]  intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n\u003c4\u003e [487.223115]  intel_engine_park_heartbeat+0x25/0x40 [i915]\n\u003c4\u003e [487.223566]  __engine_park+0xb9/0x650 [i915]\n\u003c4\u003e [487.223973]  ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n\u003c4\u003e [487.224408]  __intel_wakeref_put_last+0x72/0x90 [i915]\n\u003c4\u003e [487.224797]  intel_context_exit_engine+0x7c/0x80 [i915]\n\u003c4\u003e [487.225238]  intel_context_exit+0xf1/0x1b0 [i915]\n\u003c4\u003e [487.225695]  i915_request_retire.part.0+0x1b9/0x530 [i915]\n\u003c4\u003e [487.226178]  i915_request_retire+0x1c/0x40 [i915]\n\u003c4\u003e [487.226625]  engine_retire+0x122/0x180 [i915]\n\u003c4\u003e [487.227037]  process_one_work+0x239/0x760\n\u003c4\u003e [487.227060]  worker_thread+0x200/0x3f0\n\u003c4\u003e [487.227068]  ? __pfx_worker_thread+0x10/0x10\n\u003c4\u003e [487.227075]  kthread+0x10d/0x150\n\u003c4\u003e [487.227083]  ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227092]  ret_from_fork+0x3d4/0x480\n\u003c4\u003e [487.227099]  ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227107]  ret_from_fork_asm+0x1a/0x30\n\u003c4\u003e [487.227141]  \u003c/TASK\u003e\n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)",
  "id": "GHSA-4j69-96h5-q8g9",
  "modified": "2026-06-01T18:31:27Z",
  "published": "2026-04-24T15:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31656"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/82034799c6c14b3104668878c3f3e5786f777126"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.