vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46036
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-27 14:17:22 UTC
Updated2026-05-27 14:48:03 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 848e447e000c41894ff931dc7c004fd42c8840f8 ddf96e23c366c566283fce8377928851fa7f5e81 git Not specified
CNA Linux Linux affected 848e447e000c41894ff931dc7c004fd42c8840f8 7b436ade16cc81095d79b79f8efa3af0a4f5c5a2 git Not specified
CNA Linux Linux affected 848e447e000c41894ff931dc7c004fd42c8840f8 7530f34ec0ca1438d45a75dcb43183a1cc92eced git Not specified
CNA Linux Linux affected 848e447e000c41894ff931dc7c004fd42c8840f8 670e8864b1a218d72f08db40d0103adf38fa1d9b git Not specified
CNA Linux Linux affected 6.10 Not specified
CNA Linux Linux unaffected 6.10 semver Not specified
CNA Linux Linux unaffected 6.12.86 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.27 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.4 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/ddf96e23c366c566283fce8377928851fa7f5e81 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7b436ade16cc81095d79b79f8efa3af0a4f5c5a2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7530f34ec0ca1438d45a75dcb43183a1cc92eced 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report