Description
In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown

epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to perform later. This leads to an oops when .allow_link fails
or when .drop_link is performed. The following is an example oops of the
former case:

Unable to handle kernel paging request at virtual address dead000000000108
[...]
[dead000000000108] address between user and kernel address ranges
Internal error: Oops: 0000000096000044 [#1] SMP
[...]
Call trace:
pci_epc_remove_epf+0x78/0xe0 (P)
pci_primary_epc_epf_link+0x88/0xa8
configfs_symlink+0x1f4/0x5a0
vfs_symlink+0x134/0x1d8
do_symlinkat+0x88/0x138
__arm64_sys_symlinkat+0x74/0xe0
[...]

Remove the helper, and drop pci_epc_put(). EPC device refcounting is
tied to the configfs EPC group lifetime, and pci_epc_put() in the
.drop_link path is sufficient.
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the function epf_ntb_epc_destroy performs a cleanup of PCI endpoint resources that the caller is expected to handle later. Because that resource teardown is duplicated, a kernel oops is triggered whenever the PCI link allow process fails or when a PCI link is dropped. The resulting oops indicates a kernel panic that can crash the operating system, thereby causing a denial of service. The weakness is an improper resource management flaw that can lead to a double release or uninitialized resource use, but does not directly expose sensitive data.

Affected Systems

The vulnerability exists in all Linux kernel builds that include the PCI endpoint subsystem and contain the epf_ntb_epc_destroy code path before the safety fix was merged. Anyone running a kernel version that has not incorporated the commit that removes the duplicate teardown is affected. The exact affected releases are not enumerated in the advisory, so any kernel that predates the fix is at risk.

Risk and Exploitability

The EPSS score indicates a very low exploitation probability (<1%), and the vulnerability is not listed in the CISA KEV catalog, meaning it has not been observed in the wild. The CVSS score of 5.5 reflects moderate severity, confirming the risk is non-zero but not critical. Because the flaw requires interaction with PCI endpoint devices and privileged kernel code, an attacker must have appropriate access to trigger the faulty path. Nonetheless, a local or privileged attacker can provoke the double teardown and cause a system crash, resulting in a denial of service.

Generated by OpenCVE AI on April 30, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated Linux kernel that contains the patch removing the duplicate resource teardown and dropping the pci_epc_put() call.
  • If a kernel upgrade cannot be performed immediately, permanently blacklist or disable the affected PCI endpoint driver to prevent the vulnerable code path from executing.
  • Continuously monitor system logs and kernel crash dumps for Oops events or kernel panics that could indicate an attempt to exploit the vulnerability.

Generated by OpenCVE AI on April 30, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 29 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 29 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to perform later. This leads to an oops when .allow_link fails or when .drop_link is performed. The following is an example oops of the former case: Unable to handle kernel paging request at virtual address dead000000000108 [...] [dead000000000108] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] SMP [...] Call trace: pci_epc_remove_epf+0x78/0xe0 (P) pci_primary_epc_epf_link+0x88/0xa8 configfs_symlink+0x1f4/0x5a0 vfs_symlink+0x134/0x1d8 do_symlinkat+0x88/0x138 __arm64_sys_symlinkat+0x74/0xe0 [...] Remove the helper, and drop pci_epc_put(). EPC device refcounting is tied to the configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
Title PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:12:09.283Z

Reserved: 2026-03-09T15:48:24.121Z

Link: CVE-2026-31594

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-24T15:16:37.087

Modified: 2026-06-01T17:16:50.037

Link: CVE-2026-31594

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31594 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:15:26Z

Weaknesses