Skip to main content

Linux Kernel EUVDEUVD-2026-32415

| CVE-2026-46034 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cj6g-rrgh-rx3w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local VFIO device access requires PR:L; crash-only outcome yields A:H with C:N and I:N; no race condition means AC:L.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 19:22 vuln.today
CVSS changed
Jun 16, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD.

The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering.

This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.

AnalysisAI

NULL pointer dereference in the Linux kernel vfio/cdx subsystem allows a local low-privileged user with access to a CDX VFIO device to crash the kernel by issuing an out-of-order ioctl sequence. Specifically, calling VFIO_DEVICE_SET_IRQS with DATA_BOOL or DATA_NONE flags before ever initializing MSI interrupts via the EVENTFD path dereferences an unallocated cdx_irqs pointer, producing a kernel panic and denial-of-service. No public exploit code exists and EPSS is 0.02%, but vendor-released patches are confirmed available across all affected stable branches.

Technical ContextAI

The vulnerability is in the vfio/cdx kernel subsystem (CWE-476: NULL Pointer Dereference), which exposes CDX (Configurable Device eXtensions) hardware to userspace via the VFIO (Virtual Function I/O) framework. The cdx_irqs array is allocated and the config_msi flag is set to 1 only when vfio_cdx_msi_enable() is called through the EVENTFD ioctl path. The trigger loop inside vfio_cdx_set_msi_trigger() - executed when DATA_BOOL or DATA_NONE flags are used - assumed MSI had already been initialized, but no call-ordering enforcement existed. A userspace caller can therefore invoke the trigger path on a NULL pointer. The analogous PCI VFIO driver (vfio_pci_set_msi_trigger) already had a guard via irq_is(); the CDX driver simply lacked a matching check. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable branches originating from commit 848e447e000c41894ff931dc7c004fd42c8840f8.

RemediationAI

Upgrade to a patched kernel version: 6.12.86 or later for the 6.12 stable series, 6.18.27 or later for the 6.18 series, or 7.0.4 or later for the 7.0 series; the 7.1-rc1 development release also includes the fix. The four upstream fix commits are available at https://git.kernel.org/stable/c/338a736aaf15e8ba3635ce20b29af5b8fc15e66a, https://git.kernel.org/stable/c/51bf7638f33aece41cb3f4cbeb942cc52950e329, https://git.kernel.org/stable/c/5d6c349c9823eb819fed8b537b088cf38126018c, and https://git.kernel.org/stable/c/5ea5880764cbb164afb17a62e76ca75dc371409d. As a compensating control where patching is not immediately possible, restrict permissions on /dev/vfio/* device nodes to prevent untrusted local users from opening CDX VFIO devices - this eliminates the ability to issue the malicious ioctl sequence without affecting other workloads. If CDX VFIO passthrough is not operationally required, unloading or blacklisting the vfio_cdx kernel module entirely removes the attack surface with no side effects on non-CDX workloads.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy