In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
epfntbepcdestroy() duplicates the teardown that the caller is supposed to perform later. This leads to an oops when .allowlink fails or when .drop_link is performed. The following is an example oops of the former case:
Unable to handle kernel paging request at virtual address dead000000000108 [...] [dead000000000108] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] SMP [...] Call trace: pciepcremoveepf+0x78/0xe0 (P) pciprimaryepcepflink+0x88/0xa8 configfssymlink+0x1f4/0x5a0 vfssymlink+0x134/0x1d8 dosymlinkat+0x88/0x138 __arm64syssymlinkat+0x74/0xe0 [...]
Remove the helper, and drop pciepcput(). EPC device refcounting is tied to the configfs EPC group lifetime, and pciepcput() in the .drop_link path is sufficient.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31594.json"
}