vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex

CVE	CVE-2026-46036
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-27 14:17:22 UTC
Updated	2026-06-16 15:17:26 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.024370000 (date 2026-06-03)

Problem Types: CWE-416

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 848e447e000c41894ff931dc7c004fd42c8840f8 ddf96e23c366c566283fce8377928851fa7f5e81 git	Not specified
CNA	Linux	Linux	affected 848e447e000c41894ff931dc7c004fd42c8840f8 7b436ade16cc81095d79b79f8efa3af0a4f5c5a2 git	Not specified
CNA	Linux	Linux	affected 848e447e000c41894ff931dc7c004fd42c8840f8 7530f34ec0ca1438d45a75dcb43183a1cc92eced git	Not specified
CNA	Linux	Linux	affected 848e447e000c41894ff931dc7c004fd42c8840f8 670e8864b1a218d72f08db40d0103adf38fa1d9b git	Not specified
CNA	Linux	Linux	affected 6.10	Not specified
CNA	Linux	Linux	unaffected 6.10 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.86 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.27 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.4 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/ddf96e23c366c566283fce8377928851fa7f5e81	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/670e8864b1a218d72f08db40d0103adf38fa1d9b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/7b436ade16cc81095d79b79f8efa3af0a4f5c5a2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/7530f34ec0ca1438d45a75dcb43183a1cc92eced	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.