Description
In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

Add validation to ensure MSI is configured before accessing cdx_irqs
array in vfio_cdx_set_msi_trigger(). Without this check, userspace
can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS
with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before
ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD.

The vfio_cdx_msi_enable() function allocates the cdx_irqs array and
sets config_msi to 1 only when called through the EVENTFD path. The
trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been
done, but there was no enforcement of this call ordering.

This matches the protection used in the PCI VFIO driver where
vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel VFIO/CDX driver contains a flaw that allows a NULL pointer dereference in the interrupt trigger loop. Userspace can invoke VFIO_DEVICE_SET_IRQS with the VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before properly configuring MSI through the EVENTFD path, causing the driver to dereference an uninitialized cdx_irqs array. The result is an uncontrolled kernel crash that can be used as a denial‑of‑service vector. This weakness is a classic NULL pointer dereference (CWE‑909).

Affected Systems

All Linux kernel releases that have not yet incorporated the patch commit referenced in the CVE description are affected. The vulnerability resides in the generic Linux kernel and is vendor‑neutral, affecting any distribution that ships the kernel unchanged. No specific version ranges are listed, so any pre‑patch kernel that exposes VFIO/CDX devices is potentially vulnerable.

Risk and Exploitability

The vulnerability is local; exploitation requires the ability to issue VFIO ioctl calls on a device that supports CDX. No public exploits are documented, and the EPSS score is not available. The patch adds validation and removes the prerequisite check, mitigating the issue. Because a kernel crash can lead to a reboot or a loss of service, the risk is considered high for any system that exposes vulnerable VFIO devices to untrusted users. The vulnerability is not listed in the CISA KEV catalog, indicating no widely known active exploitation yet.

Generated by OpenCVE AI on May 28, 2026 at 04:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the NULL pointer dereference check in vfio_cdx_set_msi_trigger, such as the latest upstream release or the vendor’s security update for your distribution.
  • If an immediate kernel update is not feasible, limit the use of VFIO/CDX devices by removing them from untrusted containers or applications, ensuring that only privileged processes can open these devices.
  • Verify that the VFIO driver is configured to require valid MSI configuration by setting appropriate access controls on the ioctl interfaces, and consider disabling the VFIO_DEVICE_SET_IRQS ioctl for devices that do not need dynamic interrupt configuration.

Generated by OpenCVE AI on May 28, 2026 at 04:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Fix NULL pointer dereference in interrupt trigger path Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD. The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering. This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.
Title vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:49:29.082Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46034

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:22.463

Modified: 2026-06-16T16:59:26.720

Link: CVE-2026-46034

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46034 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:00:08Z

Weaknesses
  • CWE-476

    NULL Pointer Dereference

  • CWE-909

    Missing Initialization of Resource