How severe is CVE-2026-31667?

CVE-2026-31667 has a CVSS score of 7.8 (High severity). EPSS score: 0.01% (2th percentile), indicating the estimated probability of exploitation in the wild.

CVE Name

Severity Score

Published Date

CISA KEV

Perspectives, Insights, and News

This Year Vulnerability Management Moves from the Basement to the C-suite

The evolution of cybersecurity practices are reshaping how organizations tackle vulnerabilities.

READ BLOG→

Closing the Loop

Making security everyone's business with prioritization and collaboration.

READ CASE STUDY→

The State of Cyberwarfare

The state of Cyberwarfare

LEARN MORE→

CVE-2026-31667:

In the Linux kernel, the following vulnerability has been resolved:

Input: uinput - fix circular locking dependency with ff-core

A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN RING under Wine with a Flydigi Vader 5 controller):

ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex

The cycle is caused by four lock acquisition paths:

ff upload: input_ff_upload() holds ff->mutex and calls uinput_dev_upload_effect() -> uinput_request_submit() -> uinput_request_send(), which acquires udev->mutex.
device create: uinput_ioctl_handler() holds udev->mutex and calls uinput_create_device() -> input_register_device(), which acquires input_mutex.
device register: input_register_device() holds input_mutex and calls kbd_connect() -> input_register_handle(), which acquires dev->mutex.
evdev release: evdev_release() calls input_flush_device() under dev->mutex, which calls input_ff_flush() acquiring ff->mutex.

Fix this by introducing a new state_lock spinlock to protect udev->state and udev->dev access in uinput_request_send() instead of acquiring udev->mutex. The function only needs to atomically check device state and queue an input event into the ring buffer via uinput_dev_event() -- both operations are safe under a spinlock (ktime_get_ts64() and wake_up_interruptible() do not sleep). This breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in the lock ordering and cannot form cycles with mutexes.

To keep state transitions visible to uinput_request_send(), protect writes to udev->state in uinput_create_device() and uinput_destroy_device() with the same state_lock spinlock.

Additionally, move init_completion(&request->done) from uinput_request_send() to uinput_request_submit() before uinput_request_reserve_slot(). Once the slot is allocated, uinput_flush_requests() may call complete() on it at any time from the destroy path, so the completion must be initialised before the request becomes visible.

Lock ordering after the fix:

ff->mutex -> state_lock (spinlock, leaf) udev->mutex -> state_lock (spinlock, leaf) udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)

CVE-2026-31667:

Armis Vulnerability Intelligence Database

Take These Insights to the Next Level

Perspectives, Insights, and News

This Year Vulnerability Management Moves from the Basement to the C-suite

Closing the Loop

The State of Cyberwarfare

Focus on What Matters

Let's talk!

CVE-2026-31667:

CVE-2026-31667:

Score
A numerical rating that indicates how dangerous this vulnerability is.

Threat Predictions

Exploitability

Impact

Description Preview

Industries Affected

CVE-2026-31667:

Armis Vulnerability Intelligence Database

Take These Insights to the Next Level

Perspectives, Insights, and News

This Year Vulnerability Management Moves from the Basement to the C-suite

Closing the Loop

The State of Cyberwarfare

Focus on What Matters

Let's talk!

CVE-2026-31667:

CVE-2026-31667:

ScoreA numerical rating that indicates how dangerous this vulnerability is.

Threat Predictions

Exploitability

Impact

Description Preview

Industries Affected

More High CVEs

Score
A numerical rating that indicates how dangerous this vulnerability is.