CVE-2026-46034
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD.
The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering.
This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 848e447e000c41894ff931dc7c004fd42c8840f8 < 51bf7638f33aece41cb3f4cbeb942cc52950e329 | affected |
| Linux | Linux | 848e447e000c41894ff931dc7c004fd42c8840f8 < 5d6c349c9823eb819fed8b537b088cf38126018c | affected |
| Linux | Linux | 848e447e000c41894ff931dc7c004fd42c8840f8 < 338a736aaf15e8ba3635ce20b29af5b8fc15e66a | affected |
| Linux | Linux | 848e447e000c41894ff931dc7c004fd42c8840f8 < 5ea5880764cbb164afb17a62e76ca75dc371409d | affected |
| Linux | Linux | 6.10 | affected |
| Linux | Linux | 0 < 6.10 | unaffected |
| Linux | Linux | 6.12.86 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.27 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.4 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/51bf7638f33aece41cb3f4cbeb942cc52950e329
- https://git.kernel.org/stable/c/5d6c349c9823eb819fed8b537b088cf38126018c
- https://git.kernel.org/stable/c/338a736aaf15e8ba3635ce20b29af5b8fc15e66a
- https://git.kernel.org/stable/c/5ea5880764cbb164afb17a62e76ca75dc371409d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.