CVE-2026-46009 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown

epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to do later. This leads to an oops when .allow_link fails or
when .drop_link is performed. Remove the helper.

Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC
group lifetime, and pci_epc_put() in the .drop_link path is sufficient.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel project identified a flaw in the PCI endpoint driver, specifically in the epf_ntb_epc_destroy handler. The function duplicated the teardown that the caller was already expected to perform, triggering a double free that leads to a kernel OOPS when .allow_link fails or .drop_link is invoked. This results in a loss of kernel stability and a potential denial of service for the affected host. The weakness is a classic double‑free scenario, producing memory corruption and a crash.

Affected Systems

All Linux kernel distributions that include the failing epf_ntb_epc_destroy path are affected. The vulnerability is present in the kernel code base referenced by the provided commit identifiers. No specific version range is listed, so any kernel that has not merged the recent patch commits could be vulnerable.

Risk and Exploitability

The exploit requires privileged access to the PCI endpoint subsystem and the ability to trigger .allow_link or .drop_link operations that exercise the faulty teardown logic. Because the condition relies on internal kernel driver state, the attack vector is likely local or requires root, and no publicly available remote exploit is confirmed. The EPSS score is unavailable and the issue is not catalogued in the CISA KEV list, pointing to a moderate but not imminent risk for typical users. Immediate patching should mitigate the risk entirely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8b821cf761503b80d0bd052f932adfe1bc1a0088`	affected	< 72099f015d3c77bf2eb703d1aab113bd7a60915a
`8b821cf761503b80d0bd052f932adfe1bc1a0088`	affected	< 756ca5e7ed22d9045bb4de4c981f9149278d5cd3
`8b821cf761503b80d0bd052f932adfe1bc1a0088`	affected	< 65fc57c8b8f0b31be62be291cb1bb01755cec85d
`8b821cf761503b80d0bd052f932adfe1bc1a0088`	affected	< e813c95e4c8edd31599081e6356e20ada30e266d
`8b821cf761503b80d0bd052f932adfe1bc1a0088`	affected	< 3446beddba450c8d6f9aca2f028712ac527fead3

Linux

affected

Version	Status	Constraints
`5.12`	affected	—
`0`	unaffected	< 5.12
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the Linux kernel version that contains the patch removing duplicate teardown; refer to the commit logs linked in the CVE references.
If kernel upgrade is not yet possible, avoid activating the affected PCI endpoint features or disable the problematic epf_ntb_epc_destroy path via kernel configuration where feasible.
Ensure that the EPC device refcounting aligns with the configfs EPC group lifetime by verifying no calls to pci_epc_put remain in the .drop_link path.

Generated by OpenCVE AI on May 27, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3
https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d
https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a
https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3
https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d

History

Wed, 27 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to do later. This leads to an oops when .allow_link fails or when .drop_link is performed. Remove the helper. Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
Title		PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3 https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3 https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:09.581Z

Updated: 2026-05-27T12:56:09.581Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46009

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:18.710

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46009

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:00:17Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object