Description
In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

At the end of this function, d is the traversal cursor of flist, but the
code completes found instead. This can lead to issues such as NULL pointer
dereferences, double completion, or descriptor leaks.

Fix this by completing d instead of found in the final
list_for_each_entry_safe() loop.
Published: 2026-04-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Kernel
AI Analysis

Impact

This vulnerability resides in the Linux kernel’s DMA engine (idxd) subsystem and involves an incorrect completion of DMA descriptors during the llist_abort_desc() operation. The logic error causes the loop to complete the wrong descriptor, which can result in a NULL pointer dereference, double completion of a descriptor, or leakage of descriptors that are still in use. These flaws can destabilize the kernel, trigger a crash, or cause the DMA engine to misbehave, leading to unresponsive or halted services.

Affected Systems

The flaw affects the Linux kernel; the CNA entry lists "Linux:Linux" with no specific versions provided. Based on the description, it is inferred that any kernel build containing the idxd driver before the patch is vulnerable. System administrators should review the kernel version in use and determine if it predates the commit that fixes the bug.

Risk and Exploitability

The CVSS score is 9.8, and the EPSS indicates a low exploitation probability (<1%). The vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploit at the time of this assessment. The likely attack vector is a local compromise that can supply malformed or crafted DMA descriptors to the idxd driver, such as a privileged user or a malicious application that can interact with the DMA subsystem. While remote exploitation is unlikely without local access, an attacker who gains sufficient privileges could force a kernel panic or degrade performance, creating a denial‑of‑service window.

Generated by OpenCVE AI on April 28, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the idxd descriptor completion fix; this replaces the buggy logic with a safe completion of the correct descriptor.
  • If a patch is unavailable for the current platform, temporarily unload or blacklist the idxd module with "modprobe -r idxd" or add a modprobe option to disable it, reducing the attack surface until a kernel update can be applied.
  • Consider disabling or restricting access to the DMA subsystem for non‑trusted applications, and monitor system logs for signs of anomalous DMA activity that could indicate exploitation attempts.

Generated by OpenCVE AI on April 28, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-910
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.
Title dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:40.304Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31436

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:36.843

Modified: 2026-04-27T14:16:38.467

Link: CVE-2026-31436

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31436 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:15:39Z

Weaknesses