Description
In the Linux kernel, the following vulnerability has been resolved:

x86/efi: Fix graceful fault handling after FPU softirq changes

Since commit d02198550423 ("x86/fpu: Improve crypto performance by
making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin()
calls fpregs_lock() which uses local_bh_disable() instead of the
previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count
during the entire EFI runtime service call, causing in_interrupt() to
return true in normal task context.

The graceful page fault handler efi_crash_gracefully_on_page_fault()
uses in_interrupt() to bail out for faults in real interrupt context.
With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI
firmware page faults unhandled. This escalates to die() which also sees
in_interrupt() as true and calls panic("Fatal exception in interrupt"),
resulting in a hard system freeze. On systems with buggy firmware that
triggers page faults during EFI runtime calls (e.g., accessing unmapped
memory in GetTime()), this causes an unrecoverable hang instead of the
expected graceful EFI_ABORTED recovery.

Fix by replacing in_interrupt() with !in_task(). This preserves the
original intent of bailing for interrupts or NMI faults, while no longer
falsely triggering from the FPU code path's local_bh_disable().

[ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a
window where a softirq may be taken before fpregs_lock() is
called, but after efi_rts_work.efi_rts_id has been assigned,
and any page faults occurring in that window will then be
misidentified as having been caused by the firmware. Instead,
use !in_task(), which incorporates in_serving_softirq(). ]
Published: 2026-06-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Linux kernel’s handling of firmware‑initiated page faults during EFI runtime service calls. A recent commit changed the way FPU state is protected, setting a soft‑irq offset that makes the kernel believe it is in interrupt context even in normal task code. The page‑fault handler therefore misclassifies the fault, aborts the firmware call and triggers a kernel panic. The result is an unrecoverable system halt instead of the expected graceful EFI_ABORTED recovery, effectively disabling the machine for further use.

Affected Systems

All Linux systems running kernel versions before the patch that introduced commit 088f65e206087bf903743bd18417261d7a4c9644 are potentially vulnerable. The issue is limited to the kernel’s EFI runtime support codepath and affects any distribution that has not yet upgraded to a kernel incorporating this change. Specific version data were not provided in the advisory, so administrators should check whether their kernel tree contains this commit or newer.

Risk and Exploitability

The vulnerability does not have an associated CVSS score or EPSS available, and it is not listed in CISA’s KEV catalog, indicating that it is not a known, widely exploited flaw. However, the exploit would require an attacker to induce a page fault through malicious EFI firmware or a firmware bug, which is a non‑common scenario. If such conditions are met, the impact is a hard crash that renders the system inoperable until reboot, making the risk high but the likelihood of successful exploitation relatively low under normal operational conditions.

Generated by OpenCVE AI on June 8, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commit (c8…9644) or a later version that contains the fix.
  • If a kernel patch cannot be applied immediately, limit access to EFI runtime services that can trigger page faults or use firmware that does not exhibit the faulty page‑fault behavior.
  • After mitigation, monitor system logs for panic messages related to EFI runtime service faults to confirm that the freeze no longer occurs.

Generated by OpenCVE AI on June 8, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-711

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: x86/efi: Fix graceful fault handling after FPU softirq changes Since commit d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin() calls fpregs_lock() which uses local_bh_disable() instead of the previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count during the entire EFI runtime service call, causing in_interrupt() to return true in normal task context. The graceful page fault handler efi_crash_gracefully_on_page_fault() uses in_interrupt() to bail out for faults in real interrupt context. With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI firmware page faults unhandled. This escalates to die() which also sees in_interrupt() as true and calls panic("Fatal exception in interrupt"), resulting in a hard system freeze. On systems with buggy firmware that triggers page faults during EFI runtime calls (e.g., accessing unmapped memory in GetTime()), this causes an unrecoverable hang instead of the expected graceful EFI_ABORTED recovery. Fix by replacing in_interrupt() with !in_task(). This preserves the original intent of bailing for interrupts or NMI faults, while no longer falsely triggering from the FPU code path's local_bh_disable(). [ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a window where a softirq may be taken before fpregs_lock() is called, but after efi_rts_work.efi_rts_id has been assigned, and any page faults occurring in that window will then be misidentified as having been caused by the firmware. Instead, use !in_task(), which incorporates in_serving_softirq(). ]
Title x86/efi: Fix graceful fault handling after FPU softirq changes
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-08T15:46:17.224Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46290

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:47.230

Modified: 2026-06-08T17:16:47.230

Link: CVE-2026-46290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T21:30:06Z

Weaknesses