Description
In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

At the end of this function, d is the traversal cursor of flist, but the
code completes found instead. This can lead to issues such as NULL pointer
dereferences, double completion, or descriptor leaks.

Fix this by completing d instead of found in the final
list_for_each_entry_safe() loop.
Published: 2026-04-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Linux kernel’s DMA engine (idxd) subsystem and is caused by a logic error that results in the wrong DMA descriptor being completed during the llist_abort_desc() function. This mis‑completion can trigger NULL pointer dereferences, double completions, or leaf descriptor leaks. If exploited, the kernel may crash or the DMA engine may become unreliable, potentially causing kernel panics or service disruption due to corrupted DMA state.

Affected Systems

Affected systems are Linux kernel versions that include the idxd driver before the commit that introduces the fix. The CNA vendor listing is "Linux:Linux" with no specific version data, so based on the commit description it is inferred that any kernel build containing the idxd driver older than the patch is vulnerable. No further version granularity is provided in the supplied data.

Risk and Exploitability

The CVSS score is 9.8, and the EPSS score indicates a very low exploitation probability (<1%). The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploit as of this assessment. Based on the description, it is inferred that exploitation would require local or privileged access to the DMA subsystem, such as a process that can create or manipulate DMA descriptors for idxd. Remote exploitation is unlikely without such privileges, and the overall risk depends on the likelihood of a local attacker gaining sufficient privileges on the host.

Generated by OpenCVE AI on May 20, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the idxd descriptor completion fix; this replaces the buggy logic with a safe completion of the correct descriptor.
  • If a patch is unavailable for the current platform, temporarily unload or blacklist the idxd module with "modprobe -r idxd" or add a modprobe option to disable it, reducing the attack surface until a kernel update can be applied.
  • Consider restricting access to the DMA subsystem for non‑trusted applications, and monitor system logs for signs of anomalous DMA activity that could indicate exploitation attempts.

Generated by OpenCVE AI on May 20, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 19 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-910
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.
Title dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:40.304Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31436

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:36.843

Modified: 2026-05-19T22:10:37.267

Link: CVE-2026-31436

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31436 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T00:30:17Z

Weaknesses
  • CWE-476

    NULL Pointer Dereference

  • CWE-910

    Use of Expired File Descriptor