Skip to main content

Linux Kernel CVE-2026-46060

| EUVDEUVD-2026-32442 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fgc6-7m88-3373
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H because exploitation requires both QAT 6xxx hardware presence and a specific probe-failure condition; PR:L since local system access is needed; A:H for kernel resource leak causing availability impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 03:30 vuln.today
CVSS changed
Jun 16, 2026 - 01:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

crypto: qat - fix IRQ cleanup on 6xxx probe failure

When adf_dev_up() partially completes and then fails, the IRQ handlers registered during adf_isr_resource_alloc() are not detached before the MSI-X vectors are released.

Since the device is enabled with pcim_enable_device(), calling pci_alloc_irq_vectors() internally registers pcim_msi_release() as a devres action. On probe failure, devres runs pcim_msi_release() which calls pci_free_irq_vectors(), tearing down the MSI-X vectors while IRQ handlers (for example 'qat0-bundle0') are still attached. This causes remove_proc_entry() warnings:

[ 22.163964] remove_proc_entry: removing non-empty directory 'irq/143', leaking at least 'qat0-bundle0'

Moving the devm_add_action_or_reset() before adf_dev_up() does not solve the problem since devres runs in LIFO order and pcim_msi_release(), registered later inside adf_dev_up(), would still fire before adf_device_down().

Fix by calling adf_dev_down() explicitly when adf_dev_up() fails, to properly free IRQ handlers before devres releases the MSI-X vectors.

AnalysisAI

IRQ handler cleanup failure in the Linux kernel Intel QAT (Quick Assist Technology) crypto driver for 6xxx-series devices causes kernel resource leaks and availability impact when device probe partially fails. The flaw manifests during adf_dev_up() failure: because pcim_enable_device() registers pcim_msi_release() as a devres action that runs in LIFO order, MSI-X vectors are torn down while IRQ handlers such as 'qat0-bundle0' are still attached, producing remove_proc_entry() warnings and leaking procfs entries. No public exploit has been identified at time of analysis, and EPSS at 0.02% (4th percentile) confirms negligible exploitation interest; impact is limited to systems that physically host Intel QAT 6xxx accelerator cards.

Technical ContextAI

The affected subsystem is the Linux kernel's Intel QAT (Quick Assist Technology) crypto driver, specifically the adf_isr.c probe/teardown path for 6xxx-series PCIe accelerator devices (CPE: cpe:2.3:o:linux:linux_kernel:*). The root cause is an incorrect teardown ordering in the PCI devres framework: pcim_enable_device() causes the kernel's managed resource infrastructure (devres) to register pcim_msi_release() - which calls pci_free_irq_vectors() - as a cleanup action. Because devres unwinds in last-in, first-out (LIFO) order on probe failure, pcim_msi_release() executes before adf_device_down() has had a chance to detach registered IRQ handlers, leaving orphaned handler registrations pointing at freed MSI-X vector structures. The absence of a formal CWE assignment suggests NVD has not fully classified the root cause, but this is characteristic of CWE-459 (Incomplete Cleanup) or CWE-672 (Operation on Resource After Expiration). The fix is straightforward: explicitly calling adf_dev_down() when adf_dev_up() fails, ensuring IRQ handlers are detached before devres releases the vectors.

RemediationAI

The primary fix is to upgrade to a patched kernel version: Linux 7.0.4, Linux 6.18.27, or 7.1-rc1 (mainline). Stable-tree patches are available directly from kernel.org at https://git.kernel.org/stable/c/27f561bf894e46bdc2d6209c50884adad79d8277, https://git.kernel.org/stable/c/7cd651f1357dcc477e6483c3a4706836b46bdc92, and https://git.kernel.org/stable/c/95aed2af87ec43fa7624cc81dd13d37824ad4972. As a workaround on unpatched systems, unloading or blacklisting the qat_4xxx kernel module (modprobe -r qat_4xxx; echo 'blacklist qat_4xxx' >> /etc/modprobe.d/blacklist.conf) prevents the driver from binding to QAT 6xxx hardware entirely, eliminating the vulnerable probe path at the cost of losing hardware crypto acceleration for QAT workloads. Distributors shipping affected kernel versions (e.g., RHEL, SUSE, Ubuntu) should be monitored for their own backport advisories.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy