CVE-2026-31601 (GCVE-0-2026-31601)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-24 14:42
VLAI?
Title
vfio/xe: Reorganize the init to decouple migration from reset
Summary
In the Linux kernel, the following vulnerability has been resolved: vfio/xe: Reorganize the init to decouple migration from reset Attempting to issue reset on VF devices that don't support migration leads to the following: BUG: unable to handle page fault for address: 00000000000011f8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S U 7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy) Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe] Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89 RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202 RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800 R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0 FS: 00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0 PKRU: 55555554 Call Trace: <TASK> xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci] pci_dev_restore+0x3b/0x80 pci_reset_function+0x109/0x140 reset_store+0x5c/0xb0 dev_attr_store+0x17/0x40 sysfs_kf_write+0x72/0x90 kernfs_fop_write_iter+0x161/0x1f0 vfs_write+0x261/0x440 ksys_write+0x69/0xf0 __x64_sys_write+0x19/0x30 x64_sys_call+0x259/0x26e0 do_syscall_64+0xcb/0x1500 ? __fput+0x1a2/0x2d0 ? fput_close_sync+0x3d/0xa0 ? __x64_sys_close+0x3e/0x90 ? x64_sys_call+0x1b7c/0x26e0 ? do_syscall_64+0x109/0x1500 ? __task_pid_nr_ns+0x68/0x100 ? __do_sys_getpid+0x1d/0x30 ? x64_sys_call+0x10b5/0x26e0 ? do_syscall_64+0x109/0x1500 ? putname+0x41/0x90 ? do_faccessat+0x1e8/0x300 ? __x64_sys_access+0x1c/0x30 ? x64_sys_call+0x1822/0x26e0 ? do_syscall_64+0x109/0x1500 ? tick_program_event+0x43/0xa0 ? hrtimer_interrupt+0x126/0x260 ? irqentry_exit+0xb2/0x710 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7877d5f1c5a4 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4 RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009 RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007 R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9 R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0 </TASK> This is caused by the fact that some of the xe_vfio_pci_core_device members needed for handling reset are only initialized as part of migration init. Fix the problem by reorganizing the code to decouple VF init from migration init.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8fa4113fc65b8b29a30fbbca5fd82221dc6e146e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 73e53ff144a538f1843b3dea1e2740a755031cdc (git)
Create a notification for this product.
    Linux Linux Unaffected: 6.19.14 , ≤ 6.19.* (semver)
Unaffected: 7.0.1 , ≤ 7.0.* (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/xe/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8fa4113fc65b8b29a30fbbca5fd82221dc6e146e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "73e53ff144a538f1843b3dea1e2740a755031cdc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/xe/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/xe: Reorganize the init to decouple migration from reset\n\nAttempting to issue reset on VF devices that don\u0027t support migration\nleads to the following:\n\n  BUG: unable to handle page fault for address: 00000000000011f8\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S   U              7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy)\n  Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n  Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n  RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe]\n  Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 \u003c83\u003e bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89\n  RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202\n  RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800\n  R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0\n  FS:  00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci]\n   pci_dev_restore+0x3b/0x80\n   pci_reset_function+0x109/0x140\n   reset_store+0x5c/0xb0\n   dev_attr_store+0x17/0x40\n   sysfs_kf_write+0x72/0x90\n   kernfs_fop_write_iter+0x161/0x1f0\n   vfs_write+0x261/0x440\n   ksys_write+0x69/0xf0\n   __x64_sys_write+0x19/0x30\n   x64_sys_call+0x259/0x26e0\n   do_syscall_64+0xcb/0x1500\n   ? __fput+0x1a2/0x2d0\n   ? fput_close_sync+0x3d/0xa0\n   ? __x64_sys_close+0x3e/0x90\n   ? x64_sys_call+0x1b7c/0x26e0\n   ? do_syscall_64+0x109/0x1500\n   ? __task_pid_nr_ns+0x68/0x100\n   ? __do_sys_getpid+0x1d/0x30\n   ? x64_sys_call+0x10b5/0x26e0\n   ? do_syscall_64+0x109/0x1500\n   ? putname+0x41/0x90\n   ? do_faccessat+0x1e8/0x300\n   ? __x64_sys_access+0x1c/0x30\n   ? x64_sys_call+0x1822/0x26e0\n   ? do_syscall_64+0x109/0x1500\n   ? tick_program_event+0x43/0xa0\n   ? hrtimer_interrupt+0x126/0x260\n   ? irqentry_exit+0xb2/0x710\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7877d5f1c5a4\n  Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89\n  RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4\n  RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009\n  RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9\n  R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0\n   \u003c/TASK\u003e\n\nThis is caused by the fact that some of the xe_vfio_pci_core_device\nmembers needed for handling reset are only initialized as part of\nmigration init.\n\nFix the problem by reorganizing the code to decouple VF init from\nmigration init."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T14:42:25.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8fa4113fc65b8b29a30fbbca5fd82221dc6e146e"
        },
        {
          "url": "https://git.kernel.org/stable/c/73e53ff144a538f1843b3dea1e2740a755031cdc"
        }
      ],
      "title": "vfio/xe: Reorganize the init to decouple migration from reset",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31601",
    "datePublished": "2026-04-24T14:42:25.287Z",
    "dateReserved": "2026-03-09T15:48:24.121Z",
    "dateUpdated": "2026-04-24T14:42:25.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31601",
      "date": "2026-04-25",
      "epss": "0.00018",
      "percentile": "0.04987"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31601\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:39.090\",\"lastModified\":\"2026-04-24T17:51:40.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/xe: Reorganize the init to decouple migration from reset\\n\\nAttempting to issue reset on VF devices that don\u0027t support migration\\nleads to the following:\\n\\n  BUG: unable to handle page fault for address: 00000000000011f8\\n  #PF: supervisor read access in kernel mode\\n  #PF: error_code(0x0000) - not-present page\\n  PGD 0 P4D 0\\n  Oops: Oops: 0000 [#1] SMP NOPTI\\n  CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S   U              7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy)\\n  Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\\n  Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\\n  RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe]\\n  Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 \u003c83\u003e bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89\\n  RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202\\n  RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000\\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\n  RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000\\n  R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800\\n  R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0\\n  FS:  00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0\\n  PKRU: 55555554\\n  Call Trace:\\n   \u003cTASK\u003e\\n   xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci]\\n   pci_dev_restore+0x3b/0x80\\n   pci_reset_function+0x109/0x140\\n   reset_store+0x5c/0xb0\\n   dev_attr_store+0x17/0x40\\n   sysfs_kf_write+0x72/0x90\\n   kernfs_fop_write_iter+0x161/0x1f0\\n   vfs_write+0x261/0x440\\n   ksys_write+0x69/0xf0\\n   __x64_sys_write+0x19/0x30\\n   x64_sys_call+0x259/0x26e0\\n   do_syscall_64+0xcb/0x1500\\n   ? __fput+0x1a2/0x2d0\\n   ? fput_close_sync+0x3d/0xa0\\n   ? __x64_sys_close+0x3e/0x90\\n   ? x64_sys_call+0x1b7c/0x26e0\\n   ? do_syscall_64+0x109/0x1500\\n   ? __task_pid_nr_ns+0x68/0x100\\n   ? __do_sys_getpid+0x1d/0x30\\n   ? x64_sys_call+0x10b5/0x26e0\\n   ? do_syscall_64+0x109/0x1500\\n   ? putname+0x41/0x90\\n   ? do_faccessat+0x1e8/0x300\\n   ? __x64_sys_access+0x1c/0x30\\n   ? x64_sys_call+0x1822/0x26e0\\n   ? do_syscall_64+0x109/0x1500\\n   ? tick_program_event+0x43/0xa0\\n   ? hrtimer_interrupt+0x126/0x260\\n   ? irqentry_exit+0xb2/0x710\\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n  RIP: 0033:0x7877d5f1c5a4\\n  Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89\\n  RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\\n  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4\\n  RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009\\n  RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007\\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9\\n  R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0\\n   \u003c/TASK\u003e\\n\\nThis is caused by the fact that some of the xe_vfio_pci_core_device\\nmembers needed for handling reset are only initialized as part of\\nmigration init.\\n\\nFix the problem by reorganizing the code to decouple VF init from\\nmigration init.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/73e53ff144a538f1843b3dea1e2740a755031cdc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8fa4113fc65b8b29a30fbbca5fd82221dc6e146e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.