Description
In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions

struct configfs_item_operations callbacks are defined like the following:

int (*allow_link)(struct config_item *src, struct config_item *target);
void (*drop_link)(struct config_item *src, struct config_item *target);

While pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specify
the parameters in the correct order, pci_primary_epc_epf_unlink() and
pci_secondary_epc_epf_unlink() specify the parameters in the wrong order,
leading to the below kernel crash when using the unlink command in
configfs:

Unable to handle kernel paging request at virtual address 0000000300000857
Mem abort info:
...
pc : string+0x54/0x14c
lr : vsnprintf+0x280/0x6e8
...
string+0x54/0x14c
vsnprintf+0x280/0x6e8
vprintk_default+0x38/0x4c
vprintk+0xc4/0xe0
pci_epf_unbind+0xdc/0x108
configfs_unlink+0xe0/0x208+0x44/0x74
vfs_unlink+0x120/0x29c
__arm64_sys_unlinkat+0x3c/0x90
invoke_syscall+0x48/0x134
do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0

[mani: cced stable, changed commit message as per https://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen]
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the Linux kernel’s PCI endpoint code where the parameters in the unlink functions are swapped. When an unlink operation is performed on a PCI endpoint via configfs, the wrong argument order causes the kernel to misinterpret data and crash, resulting in a kernel fault and service interruption. The crash can lead to a full system reboot or loss of service for all users of that machine, representing a denial‑of‑service condition for local users who can access configfs. No remote exploitation path is described, so the impact is limited to local privileged or unprivileged access to the configfs interface. No exploits are currently known in the wild.

Affected Systems

Affected systems are all Linux kernel installations that include the pci_{primary/secondary}_epc_epf_unlink() functions, which is every kernel that is not yet patched to the latest stable release. The CVE references kernel commit logs that show the fix was merged into the mainline. Users running recent kernels that incorporate these commits are unaffected; older kernels remain vulnerable.

Risk and Exploitability

The CVSS score is not disclosed, and EPSS is not available, so specific exploitation probability is unknown. However, the kernel crash indicates a high impact if the vulnerability is triggered. Because the flaw is triggered by a configfs unlink command, the primary attack vector is local and requires write access to the PCI endpoint’s configfs directory. The lack of a KEV listing suggests no publicly known, active exploits, but the presence of a critical crash warrants caution and prompt patching.

Generated by OpenCVE AI on May 6, 2026 at 14:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to the latest stable release that includes the pci_{primary/secondary}_epc_epf_unlink() fix.
  • Restrict write access to the PCI endpoint configfs directories to privileged users only and disable unneeded configfs mounts.
  • Restart any services that depend on PCI endpoint devices after the kernel update to confirm stability.

Generated by OpenCVE AI on May 6, 2026 at 14:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions struct configfs_item_operations callbacks are defined like the following: int (*allow_link)(struct config_item *src, struct config_item *target); void (*drop_link)(struct config_item *src, struct config_item *target); While pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specify the parameters in the correct order, pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() specify the parameters in the wrong order, leading to the below kernel crash when using the unlink command in configfs: Unable to handle kernel paging request at virtual address 0000000300000857 Mem abort info: ... pc : string+0x54/0x14c lr : vsnprintf+0x280/0x6e8 ... string+0x54/0x14c vsnprintf+0x280/0x6e8 vprintk_default+0x38/0x4c vprintk+0xc4/0xe0 pci_epf_unbind+0xdc/0x108 configfs_unlink+0xe0/0x208+0x44/0x74 vfs_unlink+0x120/0x29c __arm64_sys_unlinkat+0x3c/0x90 invoke_syscall+0x48/0x134 do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0 [mani: cced stable, changed commit message as per https://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen]
Title PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:06.904Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43200

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:39.090

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses