Description
In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc

pci_epf_alloc_doorbell() stores the allocated doorbell message array in
epf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation
fails, the array is freed but the EPF state may still point to freed
memory.

Clear epf->db_msg and epf->num_db on the MSI allocation failure path so
that later cleanup cannot double-free the array and callers can retry
allocation.

Also return -EBUSY when doorbells have already been allocated to prevent
leaking or overwriting an existing allocation.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the pci-ep-msi path was vulnerable when an MSI allocation failed. The code freed the doorbell message array but left the endpoint structure pointing to the freed memory. Subsequent cleanup could attempt to free the already‑freed array, leading to a double‑free or use‑after‑free scenario that can corrupt kernel memory. The patch eliminates the leak and prevents overwriting existing allocations by returning -EBUSY when doorbells are already allocated.

Affected Systems

All Linux kernel versions that contain the pci-ep-msi endpoint driver before the commit that introduces this fix are affected. This includes any distribution release whose kernel contains the original pci_epf_alloc_doorbell implementation. The vendor is Linux; the product is the Linux kernel.

Risk and Exploitability

This vulnerability can potentially allow an attacker with the ability to trigger MSI allocation failures on a PCI endpoint to corrupt kernel memory, potentially leading to privilege escalation or denial of service. The CVSS score of 5.5 indicates moderate severity, while the EPSS score of <1% shows a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploits. An attacker would need local control of the host that owns the device, or the ability to influence MSI allocation, to exploit this flaw.

Generated by OpenCVE AI on June 27, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated Linux kernel that contains the pci-ep-msi fix for the endpoint driver, ensuring the kernel version includes the commit that clears epf->db_msg/num_db and properly handles MSI allocation failures.
  • If an immediate kernel upgrade is not possible, apply the upstream patch from the kernel source, rebuild the endpoint driver with a non‑buggy MSI allocation path, and load the patched driver.
  • As a temporary precaution, restrict access to PCI devices that use the endpoint driver by limiting privileged user access or disabling MSI allocation for those devices until a kernel update is available.

Generated by OpenCVE AI on June 27, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc pci_epf_alloc_doorbell() stores the allocated doorbell message array in epf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation fails, the array is freed but the EPF state may still point to freed memory. Clear epf->db_msg and epf->num_db on the MSI allocation failure path so that later cleanup cannot double-free the array and callers can retry allocation. Also return -EBUSY when doorbells have already been allocated to prevent leaking or overwriting an existing allocation.
Title PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:09.492Z

Reserved: 2026-06-09T07:44:35.382Z

Link: CVE-2026-53067

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53067 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:45:09Z

Weaknesses