CVE-2026-31523 - Vulnerability Details

- nvme-pci: ensure we're polling a polled queue

Description

In the Linux kernel, the following vulnerability has been resolved:

nvme-pci: ensure we're polling a polled queue

A user can change the polled queue count at run time. There's a brief
window during a reset where a hipri task may try to poll that queue
before the block layer has updated the queue maps, which would race with
the now interrupt driven queue and may cause double completions.

Published: 2026-04-22

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s NVMe PCI driver contains a race condition (CWE‑367) in which a user‑initiated change to the polled queue count during a reset can trigger a high‑priority task to poll the queue before the block layer updates the queue maps. This timing gap may cause the same I/O request to be completed twice, potentially leading to unexpected kernel behavior. The vulnerability does not explicitly enumerate the consequences of double completions, but the duplication of completion events could disrupt normal I/O flow and destabilize the driver.

Affected Systems

All Linux kernel releases that include the nvme‑pci driver before the polled‑queue patch is applied, including the 7.0 release candidates. The issue is present in the mainline kernel where the driver was vulnerable.

Risk and Exploitability

The vulnerability is scored with a CVSS score of 4.7, indicating moderate risk. The EPSS score of less than 1 % reflects very low exploitation likelihood. Because the flaw requires modifying driver parameters that are typically privileged, the attack vector is local rather than remote. The flaw is not present in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< 965e2c943f065122f14282a88d70a8a92e12a4da
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< ba167d5982e2eb6ff9356d409eca592ce99555da
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< 0685dd9cb855ab77fcf3577b4702ba1d6df1c98d
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< 6f12734c4b619f923a4df0b1a46b8098b187d324
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< acbc72dd1a09df53cafcf577259f4678be6afd6d
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< b222680ba55e018426c4535067a008f1d81a5d21
`4b04cc6a8f86c4842314def22332de1f15de8523`	affected	< 166e31d7dbf6aa44829b98aa446bda5c9580f12a

Linux

affected

Version	Status	Constraints
`5.0`	affected	—
`0`	unaffected	< 5.0
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,965e2c943f065122f14282a88d70a8a92e12a4da)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ba167d5982e2eb6ff9356d409eca592ce99555da)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0685dd9cb855ab77fcf3577b4702ba1d6df1c98d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6f12734c4b619f923a4df0b1a46b8098b187d324)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,acbc72dd1a09df53cafcf577259f4678be6afd6d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b222680ba55e018426c4535067a008f1d81a5d21)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,166e31d7dbf6aa44829b98aa446bda5c9580f12a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.253,5.10.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.131,6.6.*]`	unaffected	generic	—
`[6.12.80,6.12.*]`	unaffected	generic	—
`[6.18.21,6.18.*]`	unaffected	generic	—
`[6.19.11,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that contains the nvme‑pci polled queue fix provided by your distribution, which addresses the CWE‑367 race condition
Reboot the system so the updated kernel and NVMe subsystem take effect
Monitor I/O performance and kernel logs for any anomalous I/O behavior after the update

Generated by OpenCVE AI on April 29, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DLA	DLA-4606-1	linux security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0685dd9cb855ab77fcf3577b4702ba1d6df1c98d
https://git.kernel.org/stable/c/166e31d7dbf6aa44829b98aa446bda5c9580f12a
https://git.kernel.org/stable/c/6f12734c4b619f923a4df0b1a46b8098b187d324
https://git.kernel.org/stable/c/965e2c943f065122f14282a88d70a8a92e12a4da
https://git.kernel.org/stable/c/acbc72dd1a09df53cafcf577259f4678be6afd6d
https://git.kernel.org/stable/c/b222680ba55e018426c4535067a008f1d81a5d21
https://git.kernel.org/stable/c/b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3
https://git.kernel.org/stable/c/ba167d5982e2eb6ff9356d409eca592ce99555da
https://lore.kernel.org/linux-cve-announce/2026042212-CVE-2026-31523-1f48@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31523
https://www.cve.org/CVERecord?id=CVE-2026-31523

History

Tue, 28 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://lore.kernel.org/linux-cve-announce/2026042212-CVE-2026-31523-1f48@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31523 https://www.cve.org/CVERecord?id=CVE-2026-31523
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue maps, which would race with the now interrupt driven queue and may cause double completions.
Title		nvme-pci: ensure we're polling a polled queue
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0685dd9cb855ab77fcf3577b4702ba1d6df1c98d https://git.kernel.org/stable/c/166e31d7dbf6aa44829b98aa446bda5c9580f12a https://git.kernel.org/stable/c/6f12734c4b619f923a4df0b1a46b8098b187d324 https://git.kernel.org/stable/c/965e2c943f065122f14282a88d70a8a92e12a4da https://git.kernel.org/stable/c/acbc72dd1a09df53cafcf577259f4678be6afd6d https://git.kernel.org/stable/c/b222680ba55e018426c4535067a008f1d81a5d21 https://git.kernel.org/stable/c/b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3 https://git.kernel.org/stable/c/ba167d5982e2eb6ff9356d409eca592ce99555da

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:37.568Z

Updated: 2026-05-11T22:10:26.646Z

Reserved: 2026-03-09T15:48:24.110Z

Link: CVE-2026-31523

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-22T14:16:52.263

Modified: 2026-04-28T18:09:51.203

Link: CVE-2026-31523

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31523 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object