CVE-2026-31595 - Vulnerability Details

- PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup

Description

In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup

Disable the delayed work before clearing BAR mappings and doorbells to
avoid running the handler after resources have been torn down.

Unable to handle kernel paging request at virtual address ffff800083f46004
[...]
Internal error: Oops: 0000000096000007 [#1] SMP
[...]
Call trace:
epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)
process_one_work+0x154/0x3b0
worker_thread+0x2c8/0x400
kthread+0x148/0x210
ret_from_fork+0x10/0x20

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A defect in the Linux PCI endpoint driver causes delayed work to run after the driver has torn down hardware resources, leading to an invalid memory access and a kernel oops. The crash results in a system halt, denying availability of the system.

Affected Systems

The vulnerability exists in the Linux kernel’s PCI firmware endpoint for NTB devices. Any Linux installation that includes the epf_ntb driver prior to the patch is affected; the specific kernel version affected is not listed, so all kernels containing the vulnerable code are at risk.

Risk and Exploitability

The CVSS score is 5.5, but the vulnerability is not listed in CISA KEV, and the EPSS score is less than 1%, indicating a very low current exploitation probability. The attack likely requires local privilege or an ability to manipulate the PCI endpoint to trigger the delayed work, so exploitation is possible but not trivial. Because the flaw results in a crash rather than code execution, the primary impact is a denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e35f56bb03304abc92c928b641af41ca372966bb`	affected	< ceb73484e7204f661f770069ecdf35f6e941879c
`e35f56bb03304abc92c928b641af41ca372966bb`	affected	< 6773cc24c004930903a57761132c1e7728907f8f
`e35f56bb03304abc92c928b641af41ca372966bb`	affected	< 9921cce25bfe4021f6e55ca995351eb967165297
`e35f56bb03304abc92c928b641af41ca372966bb`	affected	< 5999067140c67530a6cb6f41a8471596e60452cb
`e35f56bb03304abc92c928b641af41ca372966bb`	affected	< fbb6c353fa2fb5f5f990eda034a1074b0356127e
`e35f56bb03304abc92c928b641af41ca372966bb`	affected	< d799984233a50abd2667a7d17a9a710a3f10ebe2
`e2b6ef72b7aea9d7d480d2df499bcd1c93247abb`	affected	—

Linux

affected

Version	Status	Constraints
`6.0`	affected	—
`0`	unaffected	< 6.0
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e35f56bb03304abc92c928b641af41ca372966bb,ceb73484e7204f661f770069ecdf35f6e941879c)`	affected	code_commit	—
`[e35f56bb03304abc92c928b641af41ca372966bb,6773cc24c004930903a57761132c1e7728907f8f)`	affected	code_commit	—
`[e35f56bb03304abc92c928b641af41ca372966bb,9921cce25bfe4021f6e55ca995351eb967165297)`	affected	code_commit	—
`[e35f56bb03304abc92c928b641af41ca372966bb,5999067140c67530a6cb6f41a8471596e60452cb)`	affected	code_commit	—
`[e35f56bb03304abc92c928b641af41ca372966bb,fbb6c353fa2fb5f5f990eda034a1074b0356127e)`	affected	code_commit	—
`[e35f56bb03304abc92c928b641af41ca372966bb,d799984233a50abd2667a7d17a9a710a3f10ebe2)`	affected	code_commit	—
`e2b6ef72b7aea9d7d480d2df49bcd1c93247abb`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.0`	affected	semver	—
`[0,6.0)`	unaffected	semver	—
`[6.6.136,6.6.*]`	unaffected	semver	—
`[6.12.83,6.12.*]`	unaffected	semver	—
`[6.18.24,6.18.*]`	unaffected	semver	—
`[6.19.14,6.19.*]`	unaffected	semver	—
`[7.0.1,*]`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel update that includes commit 5999067140c67530a6cb6f41a8471596e60452cb, which resolves the improper precondition check (CWE-366) by stopping delayed work before freeing resources.
If a kernel update is not yet available, prevent the epf_ntb driver from loading by adding "blacklist epf_ntb" to /etc/modprobe.d/blacklist.conf or unloading the module with "modprobe -r epf_ntb" after boot.
After applying the patch or disabling the driver, reboot the system to ensure no delayed work is scheduled; verify that the kernel no longer attempts to access freed BAR mappings or doorbells.

Generated by OpenCVE AI on April 29, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/5999067140c67530a6cb6f41a8471596e60452cb
https://git.kernel.org/stable/c/6773cc24c004930903a57761132c1e7728907f8f
https://git.kernel.org/stable/c/9921cce25bfe4021f6e55ca995351eb967165297
https://git.kernel.org/stable/c/ceb73484e7204f661f770069ecdf35f6e941879c
https://git.kernel.org/stable/c/d799984233a50abd2667a7d17a9a710a3f10ebe2
https://git.kernel.org/stable/c/fbb6c353fa2fb5f5f990eda034a1074b0356127e
https://lore.kernel.org/linux-cve-announce/2026042416-CVE-2026-31595-b754@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31595
https://www.cve.org/CVERecord?id=CVE-2026-31595

History

Wed, 29 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/ceb73484e7204f661f770069ecdf35f6e941879c

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/d799984233a50abd2667a7d17a9a710a3f10ebe2

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-366
References		https://lore.kernel.org/linux-cve-announce/2026042416-CVE-2026-31595-b754@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31595 https://www.cve.org/CVERecord?id=CVE-2026-31595

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup Disable the delayed work before clearing BAR mappings and doorbells to avoid running the handler after resources have been torn down. Unable to handle kernel paging request at virtual address ffff800083f46004 [...] Internal error: Oops: 0000000096000007 [#1] SMP [...] Call trace: epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) process_one_work+0x154/0x3b0 worker_thread+0x2c8/0x400 kthread+0x148/0x210 ret_from_fork+0x10/0x20
Title		PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5999067140c67530a6cb6f41a8471596e60452cb https://git.kernel.org/stable/c/6773cc24c004930903a57761132c1e7728907f8f https://git.kernel.org/stable/c/9921cce25bfe4021f6e55ca995351eb967165297 https://git.kernel.org/stable/c/fbb6c353fa2fb5f5f990eda034a1074b0356127e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:21.355Z

Updated: 2026-05-11T22:11:49.806Z

Reserved: 2026-03-09T15:48:24.121Z

Link: CVE-2026-31595

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:37.237

Modified: 2026-04-29T14:22:35.743

Link: CVE-2026-31595

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31595 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T17:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object