Description
In the Linux kernel, the following vulnerability has been resolved:

crypto: qat - fix IRQ cleanup on 6xxx probe failure

When adf_dev_up() partially completes and then fails, the IRQ
handlers registered during adf_isr_resource_alloc() are not detached
before the MSI-X vectors are released.

Since the device is enabled with pcim_enable_device(), calling
pci_alloc_irq_vectors() internally registers pcim_msi_release() as a
devres action. On probe failure, devres runs pcim_msi_release() which
calls pci_free_irq_vectors(), tearing down the MSI-X vectors while IRQ
handlers (for example 'qat0-bundle0') are still attached. This causes
remove_proc_entry() warnings:

[ 22.163964] remove_proc_entry: removing non-empty directory 'irq/143', leaking at least 'qat0-bundle0'

Moving the devm_add_action_or_reset() before adf_dev_up() does not solve
the problem since devres runs in LIFO order and pcim_msi_release(),
registered later inside adf_dev_up(), would still fire before
adf_device_down().

Fix by calling adf_dev_down() explicitly when adf_dev_up() fails, to
properly free IRQ handlers before devres releases the MSI-X vectors.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s QAT crypto driver fails to detach registered IRQ handlers when a probe error occurs. Instead, the MSI‑X vectors are freed while handlers remain attached, leaving residual /proc entries such as ‘qat0-bundle0’ and emitting remove_proc_entry warnings. This improper cleanup can leave the kernel in an unstable state and may allow a faulted driver to trigger a kernel panic or degrade system reliability; it matches a resource leakage issue (CWE‑459).

Affected Systems

Any Linux kernel that includes the QAT crypto driver is potentially affected. No specific version range is provided, so all distributions shipping the kernel with the qat driver may be vulnerable until a kernel update containing the fix is applied.

Risk and Exploitability

The CVSS score of 5.5 and the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. It is a local kernel‑level bug that is triggered when the driver attempts to initialize a QAT device and fails. An attacker with physical or privileged access to a QAT device could force a probe failure, causing orphaned IRQ handlers and possibly crashing the system, which represents a denial of service. Because the exploit requires driver load‑time conditions and hardware access, remote exploitation is unlikely, but once privilege is obtained the impact is high.

Generated by OpenCVE AI on May 28, 2026 at 04:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest kernel update or vendor patch that includes the call to adf_dev_down() on probe failure in the QAT driver.
  • If a patch is not yet available, disable the QAT driver or prevent QAT devices from being probed by removing or blacklisting the corresponding modules.
  • On systems that must keep the driver, monitor system logs for remove_proc_entry warnings and perform a hotplug reset or kernel reboot if such warnings appear to ensure the device is cleanly removed.

Generated by OpenCVE AI on May 28, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-676

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-676

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: crypto: qat - fix IRQ cleanup on 6xxx probe failure When adf_dev_up() partially completes and then fails, the IRQ handlers registered during adf_isr_resource_alloc() are not detached before the MSI-X vectors are released. Since the device is enabled with pcim_enable_device(), calling pci_alloc_irq_vectors() internally registers pcim_msi_release() as a devres action. On probe failure, devres runs pcim_msi_release() which calls pci_free_irq_vectors(), tearing down the MSI-X vectors while IRQ handlers (for example 'qat0-bundle0') are still attached. This causes remove_proc_entry() warnings: [ 22.163964] remove_proc_entry: removing non-empty directory 'irq/143', leaking at least 'qat0-bundle0' Moving the devm_add_action_or_reset() before adf_dev_up() does not solve the problem since devres runs in LIFO order and pcim_msi_release(), registered later inside adf_dev_up(), would still fire before adf_device_down(). Fix by calling adf_dev_down() explicitly when adf_dev_up() fails, to properly free IRQ handlers before devres releases the MSI-X vectors.
Title crypto: qat - fix IRQ cleanup on 6xxx probe failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:20.991Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:25.757

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46060

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46060 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:30:06Z

Weaknesses