{"api_version":"1","generated_at":"2026-05-06T01:49:55+00:00","cve":"CVE-2026-31561","urls":{"html":"https://cve.report/CVE-2026-31561","api":"https://cve.report/api/cve/CVE-2026-31561.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31561","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31561"},"summary":{"title":"x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask\n\nCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so\nthat whenever something else modifies CR4, that bit remains set. Which\nin itself is a perfectly fine idea.\n\nHowever, there's an issue when during boot FRED is initialized: first on\nthe BSP and later on the APs. Thus, there's a window in time when\nexceptions cannot be handled.\n\nThis becomes particularly nasty when running as SEV-{ES,SNP} or TDX\nguests which, when they manage to trigger exceptions during that short\nwindow described above, triple fault due to FRED MSRs not being set up\nyet.\n\nSee Link tag below for a much more detailed explanation of the\nsituation.\n\nSo, as a result, the commit in that Link URL tried to address this\nshortcoming by temporarily disabling CR4 pinning when an AP is not\nonline yet.\n\nHowever, that is a problem in itself because in this case, an attack on\nthe kernel needs to only modify the online bit - a single bit in RW\nmemory - and then disable CR4 pinning and then disable SM*P, leading to\nmore and worse things to happen to the system.\n\nSo, instead, remove the FRED bit from the CR4 pinning mask, thus\nobviating the need to temporarily disable CR4 pinning.\n\nIf someone manages to disable FRED when poking at CR4, then\nidt_invalidate() would make sure the system would crash'n'burn on the\nfirst exception triggered, which is a much better outcome security-wise.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-24 15:16:30","updated_at":"2026-04-27 20:30:14"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85","name":"https://git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22","name":"https://git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a","name":"https://git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b","name":"https://git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31561","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31561","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff45746fbf005f96e42bea466698e3fdbf926013 d7853d9fe94abf43b46c57b0b7f8418198b7615a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff45746fbf005f96e42bea466698e3fdbf926013 a6e14114684d2324e5401617d6d01acb4a4e0e22 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff45746fbf005f96e42bea466698e3fdbf926013 00d956dafa76f86a73424fe5cce3d604a8be2e4b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff45746fbf005f96e42bea466698e3fdbf926013 411df123c017169922cc767affce76282b8e6c85 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.9","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"31561","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31561","cve":"CVE-2026-31561","epss":"0.000180000","percentile":"0.046080000","score_date":"2026-04-27","updated_at":"2026-04-28 00:06:44"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["arch/x86/kernel/cpu/common.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d7853d9fe94abf43b46c57b0b7f8418198b7615a","status":"affected","version":"ff45746fbf005f96e42bea466698e3fdbf926013","versionType":"git"},{"lessThan":"a6e14114684d2324e5401617d6d01acb4a4e0e22","status":"affected","version":"ff45746fbf005f96e42bea466698e3fdbf926013","versionType":"git"},{"lessThan":"00d956dafa76f86a73424fe5cce3d604a8be2e4b","status":"affected","version":"ff45746fbf005f96e42bea466698e3fdbf926013","versionType":"git"},{"lessThan":"411df123c017169922cc767affce76282b8e6c85","status":"affected","version":"ff45746fbf005f96e42bea466698e3fdbf926013","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["arch/x86/kernel/cpu/common.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.9"},{"lessThan":"6.9","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"6.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"6.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"6.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.9","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask\n\nCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so\nthat whenever something else modifies CR4, that bit remains set. Which\nin itself is a perfectly fine idea.\n\nHowever, there's an issue when during boot FRED is initialized: first on\nthe BSP and later on the APs. Thus, there's a window in time when\nexceptions cannot be handled.\n\nThis becomes particularly nasty when running as SEV-{ES,SNP} or TDX\nguests which, when they manage to trigger exceptions during that short\nwindow described above, triple fault due to FRED MSRs not being set up\nyet.\n\nSee Link tag below for a much more detailed explanation of the\nsituation.\n\nSo, as a result, the commit in that Link URL tried to address this\nshortcoming by temporarily disabling CR4 pinning when an AP is not\nonline yet.\n\nHowever, that is a problem in itself because in this case, an attack on\nthe kernel needs to only modify the online bit - a single bit in RW\nmemory - and then disable CR4 pinning and then disable SM*P, leading to\nmore and worse things to happen to the system.\n\nSo, instead, remove the FRED bit from the CR4 pinning mask, thus\nobviating the need to temporarily disable CR4 pinning.\n\nIf someone manages to disable FRED when poking at CR4, then\nidt_invalidate() would make sure the system would crash'n'burn on the\nfirst exception triggered, which is a much better outcome security-wise."}],"providerMetadata":{"dateUpdated":"2026-04-24T14:35:43.302Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a"},{"url":"https://git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22"},{"url":"https://git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b"},{"url":"https://git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85"}],"title":"x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31561","datePublished":"2026-04-24T14:35:43.302Z","dateReserved":"2026-03-09T15:48:24.116Z","dateUpdated":"2026-04-24T14:35:43.302Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 15:16:30","lastModifiedDate":"2026-04-27 20:30:14","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9.1","versionEndExcluding":"6.12.80","matchCriteriaId":"AC9469D5-3400-4C2C-A51B-AF83A8E8F623"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*","matchCriteriaId":"3F2A4A3D-068A-4CF2-A09F-9C7937DDB0A5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31561","Ordinal":"1","Title":"x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask","CVE":"CVE-2026-31561","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31561","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask\n\nCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so\nthat whenever something else modifies CR4, that bit remains set. Which\nin itself is a perfectly fine idea.\n\nHowever, there's an issue when during boot FRED is initialized: first on\nthe BSP and later on the APs. Thus, there's a window in time when\nexceptions cannot be handled.\n\nThis becomes particularly nasty when running as SEV-{ES,SNP} or TDX\nguests which, when they manage to trigger exceptions during that short\nwindow described above, triple fault due to FRED MSRs not being set up\nyet.\n\nSee Link tag below for a much more detailed explanation of the\nsituation.\n\nSo, as a result, the commit in that Link URL tried to address this\nshortcoming by temporarily disabling CR4 pinning when an AP is not\nonline yet.\n\nHowever, that is a problem in itself because in this case, an attack on\nthe kernel needs to only modify the online bit - a single bit in RW\nmemory - and then disable CR4 pinning and then disable SM*P, leading to\nmore and worse things to happen to the system.\n\nSo, instead, remove the FRED bit from the CR4 pinning mask, thus\nobviating the need to temporarily disable CR4 pinning.\n\nIf someone manages to disable FRED when poking at CR4, then\nidt_invalidate() would make sure the system would crash'n'burn on the\nfirst exception triggered, which is a much better outcome security-wise.","Type":"Description","Title":"x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask"}]}}}