CVE-2026-31781 PUBLISHED

drm/ioc32: stop speculation on the drm_compat_ioctl path

Assigner: Linux
Reserved: 09.03.2026 Published: 01.05.2026 Updated: 01.05.2026

In the Linux kernel, the following vulnerability has been resolved:

drm/ioc32: stop speculation on the drm_compat_ioctl path

The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to 46a60ee8956ef1975f00455f614761c7ecedc09d (excl.)
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to 5bb398991f378ef74d90b14a6ea8b61ff96cc03a (excl.)
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to d59c5d8539662d95887b4564f3f72ad38076a2d5 (excl.)
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to 489f2ef2b908898d01df697dc4fe1476674be640 (excl.)
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to 4a41c2b18fc05d30b718d2602cac339eae710b34 (excl.)
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to f0e441be08a2eab10b2d06fccfa267ee599dd6b3 (excl.)
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to 27ef84bba9b9d7b03418c60fbc6069ea0e87b13c (excl.)
  • affected from 505b5240329b922f21f91d5b5d1e535c805eca6d to f8995c2df519f382525ca4bc90553ad2ec611067 (excl.)
  • Version abc60edcfc87771ff244763d4d19c67766f5dd0f is affected
  • Version a2a840d6dcae960c2dfdf3fcb1b759e1b7d90663 is affected
  • Version 00279b505289f7529d9be2e78915d0483ffbd314 is affected
  • Version d04e6ea0cec9e7d6cba806508f657d2d0dc6cacf is affected
  • Version 7f3ebea19795eb38438cd3709fabf2afd53cf447 is affected
Vendor Linux
Product Linux
Versions Default: affected
  • Version 4.20 is affected
  • unaffected from 0 to 4.20 (excl.)
  • unaffected from 5.10.253 to 5.10.* (incl.)
  • unaffected from 5.15.203 to 5.15.* (incl.)
  • unaffected from 6.1.168 to 6.1.* (incl.)
  • unaffected from 6.6.134 to 6.6.* (incl.)
  • unaffected from 6.12.81 to 6.12.* (incl.)
  • unaffected from 6.18.22 to 6.18.* (incl.)
  • unaffected from 6.19.12 to 6.19.* (incl.)
  • unaffected from 7.0 to * (incl.)

References