CVE-2026-46036

HIGH EPSS 2.6%
Published May 27, 20261mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥6.10  –  <6.12.86
linuxlinux_kernel*≥6.13  –  <6.18.27
linuxlinux_kernel*≥6.19  –  <7.0.4

References 4

  • git.kernel.org https://git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7530f34ec0ca1438d45a75dcb43183a1cc92eced
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7b436ade16cc81095d79b79f8efa3af0a4f5c5a2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ddf96e23c366c566283fce8377928851fa7f5e81
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7530f34ec0ca1438d45a75dcb43183a1cc92eced
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7b436ade16cc81095d79b79f8efa3af0a4f5c5a2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ddf96e23c366c566283fce8377928851fa7f5e81
    Patch