Skip to main content

Linux Kernel EUVDEUVD-2026-35156

| CVE-2026-46290 MEDIUM
2026-06-08 Linux GHSA-qr7g-p698-q8wm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects the non-universal requirement for buggy EFI firmware; PR:L because any local user can trigger EFI runtime calls; A:H for system panic.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 19:14 vuln.today
CVSS changed
Jul 08, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

x86/efi: Fix graceful fault handling after FPU softirq changes

Since commit d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin() calls fpregs_lock() which uses local_bh_disable() instead of the previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count during the entire EFI runtime service call, causing in_interrupt() to return true in normal task context.

The graceful page fault handler efi_crash_gracefully_on_page_fault() uses in_interrupt() to bail out for faults in real interrupt context. With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI firmware page faults unhandled. This escalates to die() which also sees in_interrupt() as true and calls panic("Fatal exception in interrupt"), resulting in a hard system freeze. On systems with buggy firmware that triggers page faults during EFI runtime calls (e.g., accessing unmapped memory in GetTime()), this causes an unrecoverable hang instead of the expected graceful EFI_ABORTED recovery.

Fix by replacing in_interrupt() with !in_task(). This preserves the original intent of bailing for interrupts or NMI faults, while no longer falsely triggering from the FPU code path's local_bh_disable().

[ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a window where a softirq may be taken before fpregs_lock() is called, but after efi_rts_work.efi_rts_id has been assigned, and any page faults occurring in that window will then be misidentified as having been caused by the firmware. Instead, use !in_task(), which incorporates in_serving_softirq(). ]

AnalysisAI

Linux kernel x86 EFI runtime service fault handling panics instead of recovering gracefully on systems with buggy EFI firmware, following the FPU softirq changes introduced in commit d02198550423. When kernel_fpu_begin() began using local_bh_disable() in place of preempt_disable(), SOFTIRQ_OFFSET is set in preempt_count for the duration of EFI runtime service calls, causing in_interrupt() to return true in normal task context - which causes efi_crash_gracefully_on_page_fault() to bail unconditionally, escalating to panic(). On hardware where EFI firmware (e.g., GetTime()) accesses unmapped memory, this produces an unrecoverable system freeze. No public exploit identified at time of analysis; EPSS is 0.02%, confirming no observed exploitation activity.

Technical ContextAI

The vulnerability lies in the Linux kernel's x86 EFI runtime service subsystem (x86/efi). EFI runtime calls are made from kernel task context but wrapped in kernel_fpu_begin()/kernel_fpu_end() to preserve FPU state. Since commit d02198550423 (x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs), kernel_fpu_begin() internally calls fpregs_lock(), which uses local_bh_disable() rather than preempt_disable(). local_bh_disable() increments SOFTIRQ_OFFSET in the preempt_count bitmask, causing the kernel helper in_interrupt() - which tests for any non-task context including softirq - to return true even though execution is in a normal process context. The graceful EFI page fault handler efi_crash_gracefully_on_page_fault() relies on in_interrupt() to distinguish EFI firmware-triggered faults from real interrupt-context faults; with SOFTIRQ_OFFSET always set, it can no longer make this distinction and unconditionally bails. This leaves firmware-induced page faults unhandled, escalating to die(), which also sees in_interrupt() as true and invokes panic(). The fix replaces in_interrupt() with !in_task(), which correctly identifies real interrupt and NMI context without false-positiving on softirq-disabled task context. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. No CWE was assigned by NVD.

RemediationAI

The primary fix is upgrading to a patched Linux kernel version: 6.18.30 or later for the 6.18.x stable series, 7.0.7 or later for the 7.0.x series, or 7.1-rc3 or later for the development branch. The upstream fix commits (088f65e206087, 22b365ba1af3d, db155b86d1523) are available at https://git.kernel.org/stable/c/ and can be cherry-picked into vendor kernels. Ubuntu users should apply the update referenced in USN-8491-1 at https://ubuntu.com/security/notices/USN-8491-1. As a compensating control for systems that cannot be patched immediately, EFI runtime services can be disabled at boot via the kernel parameter 'efi=noruntime' - this prevents GetTime() and similar runtime service calls from being made, eliminating the fault-trigger path entirely, but at the cost of losing EFI-provided time synchronization and any firmware-managed runtime variables. This trade-off may be acceptable on systems not relying on EFI runtime services for operation. No other kernel configuration workarounds are available without source-level changes.

Share

EUVD-2026-35156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy