FKIE_CVE-2026-31561

Vulnerability from fkie_nvd - Published: 2026-04-24 15:16 - Updated: 2026-04-24 17:51
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine idea. However, there's an issue when during boot FRED is initialized: first on the BSP and later on the APs. Thus, there's a window in time when exceptions cannot be handled. This becomes particularly nasty when running as SEV-{ES,SNP} or TDX guests which, when they manage to trigger exceptions during that short window described above, triple fault due to FRED MSRs not being set up yet. See Link tag below for a much more detailed explanation of the situation. So, as a result, the commit in that Link URL tried to address this shortcoming by temporarily disabling CR4 pinning when an AP is not online yet. However, that is a problem in itself because in this case, an attack on the kernel needs to only modify the online bit - a single bit in RW memory - and then disable CR4 pinning and then disable SM*P, leading to more and worse things to happen to the system. So, instead, remove the FRED bit from the CR4 pinning mask, thus obviating the need to temporarily disable CR4 pinning. If someone manages to disable FRED when poking at CR4, then idt_invalidate() would make sure the system would crash'n'burn on the first exception triggered, which is a much better outcome security-wise.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask\n\nCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so\nthat whenever something else modifies CR4, that bit remains set. Which\nin itself is a perfectly fine idea.\n\nHowever, there\u0027s an issue when during boot FRED is initialized: first on\nthe BSP and later on the APs. Thus, there\u0027s a window in time when\nexceptions cannot be handled.\n\nThis becomes particularly nasty when running as SEV-{ES,SNP} or TDX\nguests which, when they manage to trigger exceptions during that short\nwindow described above, triple fault due to FRED MSRs not being set up\nyet.\n\nSee Link tag below for a much more detailed explanation of the\nsituation.\n\nSo, as a result, the commit in that Link URL tried to address this\nshortcoming by temporarily disabling CR4 pinning when an AP is not\nonline yet.\n\nHowever, that is a problem in itself because in this case, an attack on\nthe kernel needs to only modify the online bit - a single bit in RW\nmemory - and then disable CR4 pinning and then disable SM*P, leading to\nmore and worse things to happen to the system.\n\nSo, instead, remove the FRED bit from the CR4 pinning mask, thus\nobviating the need to temporarily disable CR4 pinning.\n\nIf someone manages to disable FRED when poking at CR4, then\nidt_invalidate() would make sure the system would crash\u0027n\u0027burn on the\nfirst exception triggered, which is a much better outcome security-wise."
    }
  ],
  "id": "CVE-2026-31561",
  "lastModified": "2026-04-24T17:51:40.810",
  "metrics": {},
  "published": "2026-04-24T15:16:30.500",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.