In the Linux kernel, the following vulnerability has been resolved:
vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
Add validation to ensure MSI is configured before accessing cdxirqs array in vfiocdxsetmsitrigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIODEVICESETIRQS with VFIOIRQSETDATABOOL or VFIOIRQSETDATANONE flags before ever setting up interrupts via VFIOIRQSETDATAEVENTFD.
The vfiocdxmsienable() function allocates the cdxirqs array and sets configmsi to 1 only when called through the EVENTFD path. The trigger loop (for DATABOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering.
This matches the protection used in the PCI VFIO driver where vfiopcisetmsitrigger() checks irq_is() before the trigger loop.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46034.json"
}