x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask

Summary

CVE	CVE-2026-31561
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-24 15:16:30 UTC
Updated	2026-04-27 20:30:14 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine idea. However, there's an issue when during boot FRED is initialized: first on the BSP and later on the APs. Thus, there's a window in time when exceptions cannot be handled. This becomes particularly nasty when running as SEV-{ES,SNP} or TDX guests which, when they manage to trigger exceptions during that short window described above, triple fault due to FRED MSRs not being set up yet. See Link tag below for a much more detailed explanation of the situation. So, as a result, the commit in that Link URL tried to address this shortcoming by temporarily disabling CR4 pinning when an AP is not online yet. However, that is a problem in itself because in this case, an attack on the kernel needs to only modify the online bit - a single bit in RW memory - and then disable CR4 pinning and then disable SM*P, leading to more and worse things to happen to the system. So, instead, remove the FRED bit from the CR4 pinning mask, thus obviating the need to temporarily disable CR4 pinning. If someone manages to disable FRED when poking at CR4, then idt_invalidate() would make sure the system would crash'n'burn on the first exception triggered, which is a much better outcome security-wise.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000180000 probability, percentile 0.046080000 (date 2026-04-27)

Problem Types: NVD-CWE-noinfo

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected ff45746fbf005f96e42bea466698e3fdbf926013 d7853d9fe94abf43b46c57b0b7f8418198b7615a git	Not specified
CNA	Linux	Linux	affected ff45746fbf005f96e42bea466698e3fdbf926013 a6e14114684d2324e5401617d6d01acb4a4e0e22 git	Not specified
CNA	Linux	Linux	affected ff45746fbf005f96e42bea466698e3fdbf926013 00d956dafa76f86a73424fe5cce3d604a8be2e4b git	Not specified
CNA	Linux	Linux	affected ff45746fbf005f96e42bea466698e3fdbf926013 411df123c017169922cc767affce76282b8e6c85 git	Not specified
CNA	Linux	Linux	affected 6.9	Not specified
CNA	Linux	Linux	unaffected 6.9 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.80 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.21 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.11 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.