Skip to main content

Linux Kernel CVE-2026-31436

| EUVDEUVD-2026-24760 CRITICAL
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j9j9-688w-mvpv
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:25 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
9.8 (CRITICAL)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24760
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.

Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.

AnalysisAI

Use-after-free and descriptor management error in Linux kernel's Intel IDXD DMA engine driver allows NULL pointer dereferences, double completion, or descriptor leaks. The llist_abort_desc() function completes the wrong descriptor object due to a loop cursor bug introduced in commit aa8d18becc0c. Patches released for kernel 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no active exploitation or public exploit code identified. Despite CVSS 9.8 critical rating with network vector, the actual attack surface requires local access to DMA engine subsystems, making the CVSS vector likely inaccurate or context-dependent.

Technical ContextAI

The vulnerability affects the Intel Data Streaming Accelerator (IDXD) driver in the Linux kernel DMA engine subsystem. IDXD is a hardware accelerator for data movement and transformation operations. The bug occurs in llist_abort_desc(), where a list_for_each_entry_safe() loop uses 'd' as the traversal cursor over a descriptor free list (flist) but erroneously completes 'found' instead of 'd' at loop termination. This creates a classic use-after-free scenario where the wrong memory object is operated on, potentially dereferencing freed or uninitialized memory. The faulty commit aa8d18becc0c introduced this logic error. The DMA descriptor lifecycle management is critical for preventing memory corruption in kernel space, as incorrect completion can cause descriptors to be freed twice (double-free) or not freed at all (leak), or accessed after being returned to allocator pools (use-after-free). This class of bug is CWE-416 (Use After Free) territory, though NVD lists no CWE classification.

RemediationAI

Upgrade to patched kernel versions: 6.12.80 or later in the 6.12 LTS series, 6.18.21 or later in 6.18 stable, 6.19.11 or later in 6.19 stable, or 7.0 mainline. Patches are one-line fixes replacing descriptor completion of 'found' with 'd' in llist_abort_desc(), viewable at commit 0e4f43779d550e559be13a5cdb763bad92c4cc99 and parallel stable branches. For systems unable to patch immediately, compensating controls include: unloading the idxd module ('rmmod idxd') if Intel DSA hardware is not business-critical (side effect: disables hardware-accelerated data movement for applications using DSA); restricting /dev/dsa* device access to root only via udev rules (limits attack surface to privileged users but does not prevent kernel bugs if root or kernel modules trigger the path); monitoring for kernel panics or memory corruption signatures in logs. Disabling the driver eliminates risk but impacts performance for workloads depending on DMA acceleration. No workaround prevents the bug if the driver remains active.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy