CVE-2026-46036 (GCVE-0-2026-46036)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-05-27 12:56
VLAI
Title
vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
Summary
In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 848e447e000c41894ff931dc7c004fd42c8840f8 , < ddf96e23c366c566283fce8377928851fa7f5e81 (git)
Affected: 848e447e000c41894ff931dc7c004fd42c8840f8 , < 7b436ade16cc81095d79b79f8efa3af0a4f5c5a2 (git)
Affected: 848e447e000c41894ff931dc7c004fd42c8840f8 , < 7530f34ec0ca1438d45a75dcb43183a1cc92eced (git)
Affected: 848e447e000c41894ff931dc7c004fd42c8840f8 , < 670e8864b1a218d72f08db40d0103adf38fa1d9b (git)
Create a notification for this product.
Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.86 , ≤ 6.12.* (semver)
Unaffected: 6.18.27 , ≤ 6.18.* (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/cdx/intr.c",
            "drivers/vfio/cdx/main.c",
            "drivers/vfio/cdx/private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ddf96e23c366c566283fce8377928851fa7f5e81",
              "status": "affected",
              "version": "848e447e000c41894ff931dc7c004fd42c8840f8",
              "versionType": "git"
            },
            {
              "lessThan": "7b436ade16cc81095d79b79f8efa3af0a4f5c5a2",
              "status": "affected",
              "version": "848e447e000c41894ff931dc7c004fd42c8840f8",
              "versionType": "git"
            },
            {
              "lessThan": "7530f34ec0ca1438d45a75dcb43183a1cc92eced",
              "status": "affected",
              "version": "848e447e000c41894ff931dc7c004fd42c8840f8",
              "versionType": "git"
            },
            {
              "lessThan": "670e8864b1a218d72f08db40d0103adf38fa1d9b",
              "status": "affected",
              "version": "848e447e000c41894ff931dc7c004fd42c8840f8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/cdx/intr.c",
            "drivers/vfio/cdx/main.c",
            "drivers/vfio/cdx/private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex\n\nvfio_cdx_set_msi_trigger() reads vdev-\u003econfig_msi and operates on the\nvdev-\u003ecdx_irqs array based on its value, but provides no serialization\nagainst concurrent VFIO_DEVICE_SET_IRQS ioctls.  Two callers can race\nsuch that one observes config_msi as set while another clears it and\nfrees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free\nof the cdx_irqs array.\n\nAdd a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in\nvfio_cdx_set_msi_trigger(), which is the single chokepoint through\nwhich all updates to config_msi, cdx_irqs, and msi_count flow, covering\nboth the ioctl path and the close-device cleanup path.  This keeps the\ntest of config_msi atomic with the subsequent enable, disable, or\ntrigger operations.\n\nDrop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part\nof this change: the optimization it provided is redundant with the\n!config_msi early-return inside vfio_cdx_msi_disable(), and leaving the\ntest in place would be an unsynchronized read of state the new lock is\nmeant to protect."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:56:46.381Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ddf96e23c366c566283fce8377928851fa7f5e81"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b436ade16cc81095d79b79f8efa3af0a4f5c5a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7530f34ec0ca1438d45a75dcb43183a1cc92eced"
        },
        {
          "url": "https://git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b"
        }
      ],
      "title": "vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46036",
    "datePublished": "2026-05-27T12:56:46.381Z",
    "dateReserved": "2026-05-13T15:03:33.093Z",
    "dateUpdated": "2026-05-27T12:56:46.381Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46036",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.04919"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46036\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:22.913\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex\\n\\nvfio_cdx_set_msi_trigger() reads vdev-\u003econfig_msi and operates on the\\nvdev-\u003ecdx_irqs array based on its value, but provides no serialization\\nagainst concurrent VFIO_DEVICE_SET_IRQS ioctls.  Two callers can race\\nsuch that one observes config_msi as set while another clears it and\\nfrees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free\\nof the cdx_irqs array.\\n\\nAdd a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in\\nvfio_cdx_set_msi_trigger(), which is the single chokepoint through\\nwhich all updates to config_msi, cdx_irqs, and msi_count flow, covering\\nboth the ioctl path and the close-device cleanup path.  This keeps the\\ntest of config_msi atomic with the subsequent enable, disable, or\\ntrigger operations.\\n\\nDrop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part\\nof this change: the optimization it provided is redundant with the\\n!config_msi early-return inside vfio_cdx_msi_disable(), and leaving the\\ntest in place would be an unsynchronized read of state the new lock is\\nmeant to protect.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7530f34ec0ca1438d45a75dcb43183a1cc92eced\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7b436ade16cc81095d79b79f8efa3af0a4f5c5a2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ddf96e23c366c566283fce8377928851fa7f5e81\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.