CVE-2026-31441 - Vulnerability Details

- dmaengine: idxd: Fix memory leak when a wq is reset

Description

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Fix memory leak when a wq is reset

idxd_wq_disable_cleanup() which is called from the reset path for a
workqueue, sets the wq type to NONE, which for other parts of the
driver mean that the wq is empty (all its resources were released).

Only set the wq type to NONE after its resources are released.

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a memory leak in the IDXD DMA engine driver of the Linux kernel. During a workqueue reset, its routine sets the workqueue type to NONE before freeing the allocated resources, causing the memory associated with the workqueue not to be released. This ordering leaves dangling allocation, and each reset can increase the kernel’s memory footprint. The bug does not grant additional privileges or allow code execution; its impact is confined to resource depletion, which can eventually lead to application crashes or a system restart.

Affected Systems

All Linux kernels that include the IDXD DMA engine driver and have not yet incorporated the upstream patch are affected. No specific kernel versions are enumerated in the advisory, so the vulnerability applies to any unrevised kernel instance containing the driver.

Risk and Exploitability

The CVSS score of 5.5 classifies this issue as moderate. The EPSS score of <1% indicates a very low probability of exploitation, and it is not listed in CISA’s KEV catalog. The likely attack vector is local; an adversary would need to trigger a reset of an IDXD workqueue, a scenario tied to privileged or kernel‑level execution. While excessive resets could, in theory, cause memory exhaustion, such a scenario requires sustained, repeated kernel‑level operations, making exploitation unlikely without elevated access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`da32b28c95a79e399e18c03f8178f41aec9c66e4`	affected	< a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658
`da32b28c95a79e399e18c03f8178f41aec9c66e4`	affected	< 54d77cc0c40ca2f894859dc7b3c52997574f1a2a
`da32b28c95a79e399e18c03f8178f41aec9c66e4`	affected	< 39c1504e0e76bcfb93991fd94288a83e05d13b51
`da32b28c95a79e399e18c03f8178f41aec9c66e4`	affected	< a9e7815d38629bcf59d3005001f1f315424a58de
`da32b28c95a79e399e18c03f8178f41aec9c66e4`	affected	< 0c3d3ac57e3c52b570b8c695903306bff07e04c8
`da32b28c95a79e399e18c03f8178f41aec9c66e4`	affected	< d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478
`2a2df2bd10de44c3804661ed15157817c12d6291`	affected	—

Linux

affected

Version	Status	Constraints
`5.8`	affected	—
`0`	unaffected	< 5.8
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.8:-::::::
	cpe:2.3:o:linux:linux_kernel:5.8:rc6::::::
	cpe:2.3:o:linux:linux_kernel:5.8:rc7::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[da32b28c95a79e399e18c03f8178f41aec9c66e4,a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658)`	affected	code_commit	—
`[da32b28c95a79e399e18c03f8178f41aec9c66e4,54d77cc0c40ca2f894859dc7b3c52997574f1a2a)`	affected	code_commit	—
`[da32b28c95a79e399e18c03f8178f41aec9c66e4,39c1504e0e76bcfb93991fd94288a83e05d13b51)`	affected	code_commit	—
`[da32b28c95a79e399e18c03f8178f41aec9c66e4,a9e7815d38629bcf59d3005001f1f315424a58de)`	affected	code_commit	—
`[da32b28c95a79e399e18c03f8178f41aec9c66e4,0c3d3ac57e3c52b570b8c695903306bff07e04c8)`	affected	code_commit	—
`[da32b28c95a79e399e18c03f8178f41aec9c66e4,d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478)`	affected	code_commit	—
`[2a2df2bd10de44c3804661ed15157817c12d6291,*]`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.8`	affected	generic	—
`[0,5.8)`	unaffected	generic	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.131,6.7.0)`	unaffected	semver	—
`[6.12.80,6.13.0)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that contains the IDXD DMA engine memory‑leak fix, such as the latest distribution update or the upstream commit that applies the patch.
Reboot the system so that the patched driver loads and any previously leaked memory is freed.
If no official update is available, apply the upstream patch to the kernel source manually, rebuild the kernel, and install the patched kernel.
Optionally, limit or review application logic that triggers frequent workqueue resets to reduce the frequency of the vulnerable operation.

Generated by OpenCVE AI on May 7, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c3d3ac57e3c52b570b8c695903306bff07e04c8
https://git.kernel.org/stable/c/39c1504e0e76bcfb93991fd94288a83e05d13b51
https://git.kernel.org/stable/c/54d77cc0c40ca2f894859dc7b3c52997574f1a2a
https://git.kernel.org/stable/c/a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658
https://git.kernel.org/stable/c/a9e7815d38629bcf59d3005001f1f315424a58de
https://git.kernel.org/stable/c/d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478
https://lore.kernel.org/linux-cve-announce/2026042244-CVE-2026-31441-eb92@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31441
https://www.cve.org/CVERecord?id=CVE-2026-31441

History

Thu, 07 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:5.8:-:::::: cpe:2.3:o:linux:linux_kernel:5.8:rc6:::::: cpe:2.3:o:linux:linux_kernel:5.8:rc7:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

Tue, 28 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Mon, 27 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026042244-CVE-2026-31441-eb92@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31441 https://www.cve.org/CVERecord?id=CVE-2026-31441
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix memory leak when a wq is reset idxd_wq_disable_cleanup() which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty (all its resources were released). Only set the wq type to NONE after its resources are released.
Title		dmaengine: idxd: Fix memory leak when a wq is reset
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c3d3ac57e3c52b570b8c695903306bff07e04c8 https://git.kernel.org/stable/c/39c1504e0e76bcfb93991fd94288a83e05d13b51 https://git.kernel.org/stable/c/54d77cc0c40ca2f894859dc7b3c52997574f1a2a https://git.kernel.org/stable/c/a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658 https://git.kernel.org/stable/c/a9e7815d38629bcf59d3005001f1f315424a58de https://git.kernel.org/stable/c/d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:53:39.055Z

Updated: 2026-05-11T22:08:45.968Z

Reserved: 2026-03-09T15:48:24.090Z

Link: CVE-2026-31441

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-22T14:16:37.530

Modified: 2026-05-07T19:30:23.797

Link: CVE-2026-31441

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31441 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object