Description
In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Fix double free in dma-buf feature

The error path through vfio_pci_core_feature_dma_buf() ignores its
own advice to only use dma_buf_put() after dma_buf_export(), instead
falling through the entire unwind chain. In the unlikely event that
we encounter file descriptor exhaustion, this can result in an
unbalanced refcount on the vfio device and double free of allocated
objects.

Avoid this by moving the "put" directly into the error path and return
the errno rather than entering the unwind chain.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s vfio/pci subsystem contains a double‑free condition in its dma‑buf handling path, a classic CWE‑415 flaw, because an error branch omits a required dma_buf_put() call and falls through the unwind chain. This causes the reference count of the underlying vfio device to become unbalanced, thus freeing the same memory object twice. The inadvertent circular reference introduced by the improper cleanup is also a CWE‑763 scenario. Such an inconsistency can corrupt kernel memory, destabilize the system, and potentially allow privilege escalation if an attacker can trigger the error code path. The problem is confined to the kernel code and therefore directly affects kernel integrity and stability.

Affected Systems

All Linux kernels that include the vulnerable vfio_pci_core_feature_dma_buf implementation before the patch, including release candidate versions 7.0 rc1 through rc5, are affected. Vendors shipping the default kernel without the recent commit are impacted unless the kernel has been upgraded to a patched version that performs dma_buf_put() in the error path.

Risk and Exploitability

The CVSS score of 7.8 signals a medium‑to‑high severity, while the EPSS score of less than 1% indicates a very low likelihood of real‑world exploitation. The vulnerability is not present in CISA’s KEV catalog. Exploitation would most likely require local access to a VFIO PCI device from which an attacker could exhaust file descriptors or otherwise force the kernel into the error handling path; remote access is improbable unless the attacker already has local control. Based on the description, the likely attack vector is local interaction with a VFIO device that can induce file descriptor exhaustion. The impact is limited to kernel memory corruption and is unlikely to be leveraged for immediate arbitrary code execution without additional local privilege.

Generated by OpenCVE AI on May 7, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that moves dma_buf_put() into the error handling path, addressing the identified CWE‑415 issue.
  • If a kernel upgrade cannot be performed immediately, limit the use of VFIO PCI devices and enforce strict file‑descriptor limits to prevent exhaustion, thereby mitigating the double‑free risk (CWE‑415).
  • Review any custom kernel modules that interact with VFIO PCI and enforce correct reference counting practices to avoid circular references (CWE‑763).

Generated by OpenCVE AI on May 7, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 07 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Fix double free in dma-buf feature The error path through vfio_pci_core_feature_dma_buf() ignores its own advice to only use dma_buf_put() after dma_buf_export(), instead falling through the entire unwind chain. In the unlikely event that we encounter file descriptor exhaustion, this can result in an unbalanced refcount on the vfio device and double free of allocated objects. Avoid this by moving the "put" directly into the error path and return the errno rather than entering the unwind chain.
Title vfio/pci: Fix double free in dma-buf feature
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:19.181Z

Reserved: 2026-03-09T15:48:24.097Z

Link: CVE-2026-31468

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:43.143

Modified: 2026-05-07T18:20:19.773

Link: CVE-2026-31468

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31468 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:45:40Z

Weaknesses