Description
In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex

vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the
vdev->cdx_irqs array based on its value, but provides no serialization
against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race
such that one observes config_msi as set while another clears it and
frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free
of the cdx_irqs array.

Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in
vfio_cdx_set_msi_trigger(), which is the single chokepoint through
which all updates to config_msi, cdx_irqs, and msi_count flow, covering
both the ioctl path and the close-device cleanup path. This keeps the
test of config_msi atomic with the subsequent enable, disable, or
trigger operations.

Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part
of this change: the optimization it provided is redundant with the
!config_msi early-return inside vfio_cdx_msi_disable(), and leaving the
test in place would be an unsynchronized read of state the new lock is
meant to protect.
Published: 2026-05-27
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The linux kernel vfio‑cdx driver contains a race condition in which two concurrent VFIO_DEVICE_SET_IRQS ioctl calls can trigger a use‑after‑free of the cdx_irqs array. One thread reads config_msi as set while another thread clears it and frees the array in vfio_cdx_msi_disable(), leaving a stale reference that can be used during subsequent trigger or enable operations. This flaw involves a lack of serialization (CWE‑820) that can lead to kernel memory corruption and potentially arbitrary code execution in kernel mode.

Affected Systems

All linux_kernel releases that lack the per‑device cdx_irqs_lock mutex introduced by the patch in commit 670e8864b1a218d72f08db40d0103adf38fa1d9b are affected. This includes the default kernel on most distributions before that commit. The CVE does not specify precise version ranges, so any instance of the vulnerable code path is at risk.

Risk and Exploitability

The EPSS score is not available and the issue is not listed in the CISA KEV catalog, implying no known public exploitation at the time of this analysis. Exploitation would require the ability to issue VFIO_DEVICE_SET_IRQS ioctl commands to a valid VFIO device and to perform the two calls concurrently. Because access to VFIO devices is normally restricted to privileged users, the likelihood of successful exploitation is limited, however the severity of the potential kernel corruption warrants prompt attention.

Generated by OpenCVE AI on May 28, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the cdx_irqs_lock mutex, which serializes all operations that modify config_msi, cdx_irqs, and msi_count.
  • If a kernel upgrade cannot be performed immediately, restrict access to the VFIO device file (e.g., /dev/vfio/*) to trusted administrators by adjusting file permissions or using access control lists, ensuring that only privileged users can invoke the vulnerable ioctl path.
  • As a temporary containment measure, disable the vfio.cdx kernel module by blacklisting or unloading it, thus removing the race path until a patched kernel can be deployed.

Generated by OpenCVE AI on May 28, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.
Title vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:46.381Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46036

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:22.913

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46036

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46036 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:45:05Z

Weaknesses