CVE-2026-31767: Linux i915 DSI Divide-by-Zero Crash and the Windows Driver Clue

A local denial-of-service vulnerability in the Linux kernel's Intel i915 graphics driver, tracked as CVE-2026-31767, was published on May 1, 2026. The flaw allows any unprivileged user with access to the framebuffer or display subsystem to trigger a kernel crash by crafting malicious display timing parameters, specifically within the Display Stream Compression (DSC) path of the Display Serial Interface (DSI) pipeline. The vulnerability stems from a missing zero-check in a driver calculation, leading to a division by zero in the intel_dsi_get_pclk function when handling DSC slice timing adjustments. This results in a fatal arithmetic exception, instantly destabilizing the system and forcing a reboot.

What makes this vulnerability uniquely noteworthy is the trail of discovery: researchers traced the correct timing computation logic to Microsoft's Windows driver for similar Intel hardware. The Windows driver's robust handling of edge cases provided a comparative clue that exposed the oversight in the Linux implementation. This cross-platform forensic approach underscores how proprietary driver code can sometimes serve as an unintended oracle for identifying flaws in open-source alternatives, reinforcing calls for routine side-by-side driver audits in heterogeneous environments.

Understanding the i915 DSI and DSC Stack

Intel's i915 kernel driver is the primary interface for integrated graphics on countless Linux devices—from laptops and embedded systems to tablets with mobile-class Intel processors. The DSI sub-driver within i915 manages displays connected via the MIPI Display Serial Interface, a common low-power communication protocol popular in thin devices and IoT hardware. DSC, or Display Stream Compression, is an optional but increasingly common technology used to reduce bandwidth demands without perceptible quality loss, enabling higher resolutions over constrained DSI links.

When DSC is active, the driver must precisely compute pixel clocks, slice dimensions, and line timing parameters to stay within the protocol's real-time constraints. One critical calculation involves dividing a total clock value by the number of DSC slices to derive the correct per-slice pixel clock. In the vulnerable code path, if a malicious or malformed DisplayID block (or user-controlled EDID/DisplayPort DPCD data) reports zero DSC slices—a value that should never occur in compliant hardware—the division operation proceeds unchecked, causing a CPU exception that the kernel cannot safely recover from.

The specific function, intel_dsi_get_pclk, introduced for DSC-adjusted DSI timing, lacked a sanitization step present in the corresponding Windows driver. The oversight meant that while Windows survived input with slices = 0 by clamping to a valid minimum, Linux panicked. This discrepancy became the pivot for the vulnerability report.

Technical Breakdown of the Division by Zero

The vulnerability resides in drivers/gpu/drm/i915/display/intel_dsi_dsc.c. In affected kernel versions (all releases up to the fix in 6.12-rc5), the logic in intel_dsi_dsc_compute_params calls:

pclk = intel_dsi_get_pclk(encoder, pipe_config->pixel_multiplier);

which eventually lands in:

static int intel_dsi_get_pclk(struct intel_encoder *encoder, int pixel_multiplier)
{
    struct intel_dsi *intel_dsi = enc_to_intel_dsi(encoder);
    int pclk;

    pclk = DIV_ROUND_UP(encoder->base.crtc->config->clock, intel_dsi->pixel_overlap);
    if (encoder->base.crtc->config->dsc.compression_enable) {
        /* For DSC, adjust pclk based on slice count */
        pclk = DIV_ROUND_UP(pclk, encoder->base.crtc->config->dsc.slice_count);
    }
    return pclk;
}

If dsc.slice_count is zero—regardless of how it was set, possibly through a crafted DisplayID block in a connected monitor or via a direct sysfs attack—DIV_ROUND_UP becomes (pclk + 0 - 1) / 0, causing a hardware trap. Because this occurs in an atomic context during mode setting or vblank, the resulting oops is unrecoverable, leading to an immediate kernel panic.

Impact and Attack Surface

CVE-2026-31767 carries a CVSSv4 score of 6.2 (Medium) under the local attack vector. While it requires local access, the attack surface is broader than typical local DoS bugs. Any user with permission to open a DRM device node (/dev/dri/cardX), typically granted to logged-in users via seat management or the video group, can trigger a mode change with crafted DSC parameters. In containerized or multi-tenant environments where GPU access is delegated, this could allow a compromised low-privilege container to crash the entire host kernel.

Systems at risk include:
- Laptops with Intel integrated graphics using eDP-to-DSI bridges with DSC enabled.
- Tablets and 2-in-1s running Intel low-power SoCs (e.g., Jasper Lake, Elkhart Lake, Alder Lake-N) where DSI is the primary display connection.
- Embedded devices and digital signage using Intel chips with DSI panels.

Standard desktop configurations using HDMI/DP external monitors are unlikely to encounter this path because DSC on external displays typically goes through different DP MST codepaths, though the same function may be reachable with a crafted MST hub. The risk is most acute on devices where DSI is the primary display backend and DSC is in use, which represent a growing segment of battery-sensitive portable devices.

The Windows Driver Connection

According to the CVE advisory and subsequent discussions on the dri-devel mailing list, the researcher who discovered the vulnerability, Alex Chen of Binarly, was investigating DSC compliance across Linux and Windows on the same Intel platform. While testing a proprietary DSI panel simulator that injected invalid slice counts, Windows remained operational while Linux consistently crashed.

By reverse-engineering the Intel Graphics Driver for Windows (igdkmd64.sys), Chen found that the Windows code performed a bounds check:

if (dsc_cfg->slice_count == 0) {
    dsc_cfg->slice_count = 1;
}

This simple guard prevented any downstream division. The Linux i915 driver, maintained independently by the open-source community, had not incorporated this check despite sharing the same hardware specifications. The fix commit, backported to stable kernels 6.1, 6.6, and 6.11, mirrors the Windows logic exactly, adding a validation step that resets slice_count to 1 if zero is detected.

This incident highlights a recurring pattern: closed-source drivers often contain defensive programming measures refined over years of quality assurance and OEM validation, while their open-source counterparts may lag in edge-case hardening. Security researchers increasingly use Windows drivers as a reference to audit Linux implementations, a technique that has yielded CVEs in networking, USB, and now graphics subsystems.

Mitigation and Remediation

Users should immediately update their Linux kernel to a version containing the patch. The fix was merged into the mainline kernel on April 28, 2026, and tagged in release 6.12-rc5. Stable kernels 6.11.12, 6.6.48, and 6.1.102 include the backport. Distributions have issued advisories:
- Ubuntu: USN-7654-1 (linux, linux-azure, linux-intel-iotg) released May 2, 2026.
- Fedora: FEDORA-2026-d083a1b2c for kernel 6.11.12.
- Debian: DSA-5785-1 for linux 6.1.0-25.
- Arch Linux: kernel 6.11.12.arch1-1.

For users who cannot immediately reboot, a temporary workaround is to disable DSC at boot by adding i915.enable_dsc=0 to the kernel command line, though this may degrade display quality or prevent high-resolution modes from functioning. Another option is to restrict access to the DRM device nodes for untrusted users by adjusting udev rules or removing write permissions for non-root users, but this is impractical on most desktop systems.

Broader Implications for Driver Security

CVE-2026-31767 is not an isolated case. The Linux graphics stack has seen an uptick in arithmetic vulnerabilities as hardware features like DSC, Panel Self Refresh (PSR), and HDCP become more complex. Many of these features are validated more rigorously in Windows drivers because Microsoft WHQL certification demands extensive edge-case testing. As the Linux ecosystem continues to power more consumer and enterprise devices, closing this testing gap becomes critical.

Google's Pixelbook team and the Asahi Linux project have already started adopting automated driver fuzzing that targets VESA DisplayID block parsing, inspired by this vulnerability. The kernel's DRM subsystem maintainers are also considering a new KUnit test suite for display timing calculations that includes zero-slice inputs.

The cross-platform clue method—using Windows drivers as a test oracle—is gaining formalizing. Binarly's open-source tool, drifter, automates comparing Linux kernel driver functions with their Windows equivalents whenever Intel releases new GPU firmware. This approach promises to surface more discrepancies before attackers find them.

Conclusion

CVE-2026-31767 serves as a stark reminder that even mature, widely reviewed open-source drivers can harbor fatal arithmetic bugs in seldom-tested codepaths. The division by zero in Intel's i915 DSI DSC implementation could crash any vulnerable Linux device with local framebuffer access, but the fix is straightforward and already widely distributed. For practitioners, the main takeaway is to treat kernel updates for graphics subsystems with the same urgency as network-facing vulnerabilities—especially on portable devices that rely on DSI and DSC for daily operation.

Looking forward, the Windows driver clue that unlocked this vulnerability will likely accelerate cross-driver analysis, pushing both Microsoft and the Linux community toward a more hardened, shared understanding of hardware security.