Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local VFIO device access needed (AV:L/PR:L); a 'tiny window' shutdown race makes it AC:H; resources pass to another driver so S:C, with high info-leak and corruption impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
vfio/pci: Clean up DMABUFs before disabling function
On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled via vfio_pci_core_disable(). This ensures that all access via DMABUFs is revoked before the function's BARs become inaccessible.
This fixes an issue where, if the function is disabled first, a tiny window exists in which the function's MSE is cleared and yet BARs could still be accessed via the DMABUF. The resources would also be freed and up for grabs by a different driver.
AnalysisAI
Resource access-after-free in the Linux kernel's vfio/pci subsystem allows a local user with device access to read or corrupt PCI device resources during a race window on device shutdown, because vfio_pci_core_close_device() disabled the function before tearing down DMABUF exports. During the window the function's Memory Space Enable bit is cleared and its BARs (and their backing resources) are freed and reassignable to another driver, while stale DMABUF mappings still reference them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to a system where the attacker can bind/use a VFIO PCI device and create DMABUF exports of its BARs - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward low practical priority despite the 8.8 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or a guest/userspace driver) that legitimately holds a VFIO PCI device repeatedly triggers device close/shutdown while holding or re-mapping DMABUF references to the device's BARs, racing to access the memory in the tiny window after the function is disabled and its resources are freed. Winning the race lets the attacker read or write resources that have been released and potentially reassigned to another driver, causing information disclosure or host-side resource corruption. … |
| Remediation | Patch available per vendor advisory: upgrade to a Linux kernel containing the fix commits 4f1000a30f67cf7d328059242776a858611d5ef9 and d97708701434ce72968e771976aaf9d3438fcafd (merged in the 6.19 cycle and backported to stable trees), which reorder vfio_pci_core_close_device() to call vfio_pci_dma_buf_cleanup() before vfio_pci_core_disable(); a released, tagged stable version number is not independently confirmed from the input, so apply your distribution's kernel update that references this CVE. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running vulnerable Linux kernel versions with vfio/pci functionality and PCI device passthrough capability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39857
GHSA-rj34-crxv-j5mg