Skip to main content

Linux Kernel CVE-2026-46036

| EUVDEUVD-2026-32417 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mg62-wj4p-3wq4
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:38 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex

vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array.

Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations.

Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.

AnalysisAI

Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Technical ContextAI

VFIO (Virtual Function I/O) is the Linux framework for exposing direct device access to userspace, commonly used to pass hardware to virtual machines or userspace drivers; the cdx variant supports AMD/Xilinx Composable DMA-capable eXtension fabric devices. The bug is a classic concurrent-access use-after-free (CWE-416 class): vfio_cdx_set_msi_trigger() reads vdev->config_msi and then operates on vdev->cdx_irqs without holding any lock, so a parallel ioctl can call vfio_cdx_msi_disable() which clears config_msi and frees cdx_irqs, while the first thread continues to dereference the freed array. The fix introduces a per-device cdx_irqs_lock mutex that serializes all updates to config_msi, cdx_irqs, and msi_count through vfio_cdx_set_msi_trigger(), which is the single chokepoint for both the ioctl path and the close-device cleanup path.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.86, 7.0.4, 7.1-rc1, or later stable releases that include the cdx_irqs_lock mutex fix, available via the upstream stable commits listed above (https://git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b and the three sibling backports). Distributions should pull the corresponding stable backport for their kernel series. Where patching is not immediately possible, the practical compensating control is to restrict access to /dev/vfio/* device nodes so that only trusted virtualization service accounts (qemu, libvirt) can open them - verify ownership and mode of the cdx-bound IOMMU group device files and remove any group memberships that grant unprivileged users access. On hosts that do not require CDX passthrough at all, blacklisting or not loading the vfio-cdx module eliminates the attack surface entirely; the trade-off is loss of CDX device passthrough functionality, which is irrelevant on systems without Xilinx/AMD CDX hardware.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy