CWE-191
AllowedInteger Underflow (Wrap or Wraparound)
Abstraction: Base · Status: Draft
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
642 vulnerabilities reference this CWE, most recent first.
GHSA-497J-F639-7WW4
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53An integer underflow issue exists in ntfs-3g 2017.3.23. A local attacker could potentially exploit this by running /bin/ntfs-3g with specially crafted arguments from a specially crafted directory to cause a heap buffer overflow, resulting in a crash or the ability to execute arbitrary code. In installations where /bin/ntfs-3g is a setuid-root binary, this could lead to a local escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2019-9755"
],
"database_specific": {
"cwe_ids": [
"CWE-191",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-05T15:29:00Z",
"severity": "HIGH"
},
"details": "An integer underflow issue exists in ntfs-3g 2017.3.23. A local attacker could potentially exploit this by running /bin/ntfs-3g with specially crafted arguments from a specially crafted directory to cause a heap buffer overflow, resulting in a crash or the ability to execute arbitrary code. In installations where /bin/ntfs-3g is a setuid-root binary, this could lead to a local escalation of privileges.",
"id": "GHSA-497j-f639-7ww4",
"modified": "2024-04-04T00:53:14Z",
"published": "2022-05-24T16:47:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9755"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:3723"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2308"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3345"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-45"
},
{
"type": "WEB",
"url": "https://www.tuxera.com/community/release-history"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-498W-5J49-VQJG
Vulnerability from github – Published: 2023-10-04 14:44 – Updated: 2023-10-13 23:13Impact
For some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of a, for small values there exists a second decomposition for a+r (where r is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined.
Internally, the comparison methods frontend.API.Cmp and frontend.API.IsLess used binary decomposition and checked the bitwise differences. This allows a malicious prover to construct a valid proof for a statement a < b even if a > b.
The issue impacts all users using API.Cmp or API.IsLess methods. Additionally, it impacts the users using bits.ToBinary or API.ToBinary methods if full-width decomposition is requested (the default behaviour if no options are given).
The issues does not impact comparison methods in field emulation (package std/math/emulated) and dedicated comparison package (std/math/cmp).
Patches
Fix has been implemented in pull request #835 and merged in commit 59a4087261a6c73f13e80d695c17b398c3d0934f to master branch. The release v0.9.0 and onwards include the fix.
The fix added additional comparison of the decomposed bit-vector to the modulus of the in-circuit values.
Workarounds
Upgrading to version v0.9.0 should fix the issue without needing to change the calls to value comparison methods.
Alternatively, users can use the std/math/cmp gadget, which additionally allows to bound the number of bits being compared, making the comparisons more efficient if the bound on the absolute difference of the values is known.
References
- https://github.com/Consensys/gnark/pull/835
- https://github.com/zkopru-network/zkopru/issues/116
- https://github.com/iden3/circomlib/pull/48
Acknowledgement
The vulnerability was reported by Marcin Kostrzewa @ Reilabs.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/consensys/gnark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-44378"
],
"database_specific": {
"cwe_ids": [
"CWE-191",
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-04T14:44:08Z",
"nvd_published_at": "2023-10-09T14:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nFor some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second decomposition for `a+r` (where `r` is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined.\n\nInternally, the comparison methods `frontend.API.Cmp` and `frontend.API.IsLess` used binary decomposition and checked the bitwise differences. This allows a malicious prover to construct a valid proof for a statement `a \u003c b` even if `a \u003e b`.\n\nThe issue impacts all users using `API.Cmp` or `API.IsLess` methods. Additionally, it impacts the users using `bits.ToBinary` or `API.ToBinary` methods if full-width decomposition is requested (the default behaviour if no options are given).\n\nThe issues does not impact comparison methods in field emulation (package `std/math/emulated`) and dedicated comparison package (`std/math/cmp`).\n\n### Patches\n\nFix has been implemented in pull request #835 and merged in commit 59a4087261a6c73f13e80d695c17b398c3d0934f to master branch. The release v0.9.0 and onwards include the fix.\n\nThe fix added additional comparison of the decomposed bit-vector to the modulus of the in-circuit values. \n\n### Workarounds\n\nUpgrading to version v0.9.0 should fix the issue without needing to change the calls to value comparison methods.\n\nAlternatively, users can use the `std/math/cmp` gadget, which additionally allows to bound the number of bits being compared, making the comparisons more efficient if the bound on the absolute difference of the values is known.\n\n### References\n\n* https://github.com/Consensys/gnark/pull/835\n* https://github.com/zkopru-network/zkopru/issues/116\n* https://github.com/iden3/circomlib/pull/48\n\n### Acknowledgement\n\nThe vulnerability was reported by [Marcin Kostrzewa](https://github.com/kustosz) @ [Reilabs](https://reilabs.io/).",
"id": "GHSA-498w-5j49-vqjg",
"modified": "2023-10-13T23:13:57Z",
"published": "2023-10-04T14:44:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44378"
},
{
"type": "WEB",
"url": "https://github.com/zkopru-network/zkopru/issues/116"
},
{
"type": "WEB",
"url": "https://github.com/Consensys/gnark/pull/835"
},
{
"type": "WEB",
"url": "https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f"
},
{
"type": "PACKAGE",
"url": "https://github.com/Consensys/gnark"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-498w-5j49-vqjg"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "gnark unsoundness in variable comparison / non-unique binary decomposition"
}
GHSA-49FP-955P-JX7M
Vulnerability from github – Published: 2024-10-09 15:32 – Updated: 2024-10-09 15:32Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-47425"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T15:15:14Z",
"severity": "HIGH"
},
"details": "Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-49fp-955p-jx7m",
"modified": "2024-10-09T15:32:20Z",
"published": "2024-10-09T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47425"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/framemaker/apsb24-82.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4CC6-F2XJ-W7JX
Vulnerability from github – Published: 2023-11-03 06:36 – Updated: 2024-09-06 15:327-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.
{
"affected": [],
"aliases": [
"CVE-2023-31102"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-03T04:15:20Z",
"severity": "HIGH"
},
"details": "7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.",
"id": "GHSA-4cc6-f2xj-w7jx",
"modified": "2024-09-06T15:32:54Z",
"published": "2023-11-03T06:36:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31102"
},
{
"type": "WEB",
"url": "https://ds-security.com/post/integer-overflow-in-7-zip-cve-2023-31102"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231110-0007"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269"
},
{
"type": "WEB",
"url": "https://www.7-zip.org/download.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1165"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4CPW-52R2-X798
Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2025-04-11 03:57Integer underflow in the asfrtp_parse_packet function in libavformat/rtpdec_asf.c in FFmpeg before 0.8.3 allows remote attackers to execute arbitrary code via a crafted ASF packet.
{
"affected": [],
"aliases": [
"CVE-2011-4031"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-05-09T10:33:00Z",
"severity": "MODERATE"
},
"details": "Integer underflow in the asfrtp_parse_packet function in libavformat/rtpdec_asf.c in FFmpeg before 0.8.3 allows remote attackers to execute arbitrary code via a crafted ASF packet.",
"id": "GHSA-4cpw-52r2-x798",
"modified": "2025-04-11T03:57:30Z",
"published": "2022-05-13T01:12:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4031"
},
{
"type": "WEB",
"url": "http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=c2a2ad133eb9d42361804a568dee336992349a5e"
},
{
"type": "WEB",
"url": "http://git.videolan.org/?p=ffmpeg.git%3Ba=shortlog%3Bh=n0.8.3"
},
{
"type": "WEB",
"url": "http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c2a2ad133eb9d42361804a568dee336992349a5e"
},
{
"type": "WEB",
"url": "http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n0.8.3"
},
{
"type": "WEB",
"url": "http://technet.microsoft.com/en-us/security/msvr/msvr11-012"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4GHG-P426-JC5W
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2025-08-29 15:30A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2020-14361"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"id": "GHSA-4ghg-p426-jc5w",
"modified": "2025-08-29T15:30:36Z",
"published": "2022-05-24T17:28:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14361"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869142"
},
{
"type": "WEB",
"url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202012-01"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4488-2"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1418"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4GX4-W2XQ-PWMJ
Vulnerability from github – Published: 2025-10-21 12:31 – Updated: 2025-10-21 12:31In the Linux kernel, the following vulnerability has been resolved:
RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()
This code checks "index" for an upper bound but it does not check for negatives. Change the type to unsigned to prevent underflows.
{
"affected": [],
"aliases": [
"CVE-2022-49199"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:56Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()\n\nThis code checks \"index\" for an upper bound but it does not check for\nnegatives. Change the type to unsigned to prevent underflows.",
"id": "GHSA-4gx4-w2xq-pwmj",
"modified": "2025-10-21T12:31:23Z",
"published": "2025-10-21T12:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49199"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a495ef04d5f42e6f00eb2bec1ee9075e3d5a771"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87e0eacb176f9500c2063d140c0a1d7fa51ab8a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f6dd8669b8299a3a536cd92a7069152a7704da1d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HGC-47XP-7M5F
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-02 03:31In the Linux kernel, the following vulnerability has been resolved:
ipv6/addrconf: fix a potential refcount underflow for idev
Now in addrconf_mod_rs_timer(), reference idev depends on whether rs_timer is not pending. Then modify rs_timer timeout.
There is a time gap in [1], during which if the pending rs_timer becomes not pending. It will miss to hold idev, but the rs_timer is activated. Thus rs_timer callback function addrconf_rs_timer() will be executed and put idev later without holding idev. A refcount underflow issue for idev can be caused by this.
if (!timer_pending(&idev->rs_timer))
in6_dev_hold(idev);
<--------------[1]
mod_timer(&idev->rs_timer, jiffies + when);
To fix the issue, hold idev if mod_timer() return 0.
{
"affected": [],
"aliases": [
"CVE-2023-53189"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T14:15:41Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6/addrconf: fix a potential refcount underflow for idev\n\nNow in addrconf_mod_rs_timer(), reference idev depends on whether\nrs_timer is not pending. Then modify rs_timer timeout.\n\nThere is a time gap in [1], during which if the pending rs_timer\nbecomes not pending. It will miss to hold idev, but the rs_timer\nis activated. Thus rs_timer callback function addrconf_rs_timer()\nwill be executed and put idev later without holding idev. A refcount\nunderflow issue for idev can be caused by this.\n\n\tif (!timer_pending(\u0026idev-\u003ers_timer))\n\t\tin6_dev_hold(idev);\n\t\t \u003c--------------[1]\n\tmod_timer(\u0026idev-\u003ers_timer, jiffies + when);\n\nTo fix the issue, hold idev if mod_timer() return 0.",
"id": "GHSA-4hgc-47xp-7m5f",
"modified": "2025-12-02T03:31:35Z",
"published": "2025-09-15T15:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53189"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/06a0716949c22e2aefb648526580671197151acc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f656e483eb4733d62f18dfb206a49b78f60f495"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ad31ce40e8182860b631e37209e93e543790b7c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/436b7cc7eae7851c184b671ed7a4a64c750b86f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/82abd1c37d3bf2a2658b34772c17a25a6f9cca42"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6395e32935d35e6f935e7caf1c2dac5a95943b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c7eeba47058532f6077d6a658e38b6698f6ae71a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df62fdcd004afa72ecbed0e862ebb983acd3aa57"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4J52-X36J-W2JW
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33In Arm software implementing the Armv8-M processors (all versions), the stack selection mechanism could be influenced by a stack-underflow attack in v8-M TrustZone based processors. An attacker can cause a change to the stack pointer used by the Secure World from a non-secure application if the stack is not initialized. This vulnerability affects only the software that is based on Armv8-M processors with the Security Extension.
{
"affected": [],
"aliases": [
"CVE-2020-16273"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T19:15:00Z",
"severity": "HIGH"
},
"details": "In Arm software implementing the Armv8-M processors (all versions), the stack selection mechanism could be influenced by a stack-underflow attack in v8-M TrustZone based processors. An attacker can cause a change to the stack pointer used by the Secure World from a non-secure application if the stack is not initialized. This vulnerability affects only the software that is based on Armv8-M processors with the Security Extension.",
"id": "GHSA-4j52-x36j-w2jw",
"modified": "2022-05-24T17:33:38Z",
"published": "2022-05-24T17:33:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16273"
},
{
"type": "WEB",
"url": "https://developer.arm.com/support/arm-security-updates/armv8-m-stack-sealing"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4J69-96H5-Q8G9
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request.
The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement on another CPU can drop the engine wakeref to zero, triggering __engine_park() -> intel_engine_park_heartbeat(). If the heartbeat timer is pending at that point, cancel_delayed_work() returns true and intel_engine_park_heartbeat() reads the stale non-NULL systole pointer and calls i915_request_put() on it again, causing a refcount underflow:
<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]
<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0
...
<4> [487.222707] Call Trace:
<4> [487.222711] <TASK>
<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]
<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]
<4> [487.223566] __engine_park+0xb9/0x650 [i915]
<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]
<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]
<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]
<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]
<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]
<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]
<4> [487.226625] engine_retire+0x122/0x180 [i915]
<4> [487.227037] process_one_work+0x239/0x760
<4> [487.227060] worker_thread+0x200/0x3f0
<4> [487.227068] ? __pfx_worker_thread+0x10/0x10
<4> [487.227075] kthread+0x10d/0x150
<4> [487.227083] ? __pfx_kthread+0x10/0x10
<4> [487.227092] ret_from_fork+0x3d4/0x480
<4> [487.227099] ? __pfx_kthread+0x10/0x10
<4> [487.227107] ret_from_fork_asm+0x1a/0x30
<4> [487.227141] </TASK>
Fix this by replacing the non-atomic pointer read + separate clear with xchg() in both racing paths. xchg() is a single indivisible hardware instruction that atomically reads the old pointer and writes NULL. This guarantees only one of the two concurrent callers obtains the non-NULL pointer and performs the put, the other gets NULL and skips it.
(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)
{
"affected": [],
"aliases": [
"CVE-2026-31656"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine-\u003eheartbeat.systole request.\n\nThe heartbeat worker reads engine-\u003eheartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -\u003e intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n\u003c4\u003e [487.221889] Workqueue: i915-unordered engine_retire [i915]\n\u003c4\u003e [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n\u003c4\u003e [487.222707] Call Trace:\n\u003c4\u003e [487.222711] \u003cTASK\u003e\n\u003c4\u003e [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n\u003c4\u003e [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]\n\u003c4\u003e [487.223566] __engine_park+0xb9/0x650 [i915]\n\u003c4\u003e [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n\u003c4\u003e [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]\n\u003c4\u003e [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]\n\u003c4\u003e [487.225238] intel_context_exit+0xf1/0x1b0 [i915]\n\u003c4\u003e [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]\n\u003c4\u003e [487.226178] i915_request_retire+0x1c/0x40 [i915]\n\u003c4\u003e [487.226625] engine_retire+0x122/0x180 [i915]\n\u003c4\u003e [487.227037] process_one_work+0x239/0x760\n\u003c4\u003e [487.227060] worker_thread+0x200/0x3f0\n\u003c4\u003e [487.227068] ? __pfx_worker_thread+0x10/0x10\n\u003c4\u003e [487.227075] kthread+0x10d/0x150\n\u003c4\u003e [487.227083] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227092] ret_from_fork+0x3d4/0x480\n\u003c4\u003e [487.227099] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227107] ret_from_fork_asm+0x1a/0x30\n\u003c4\u003e [487.227141] \u003c/TASK\u003e\n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)",
"id": "GHSA-4j69-96h5-q8g9",
"modified": "2026-06-01T18:31:27Z",
"published": "2026-04-24T15:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31656"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/82034799c6c14b3104668878c3f3e5786f777126"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.