CVE-2026-46034

Source
https://cve.org/CVERecord?id=CVE-2026-46034
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46034.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46034
Downstream
Related
Published
2026-05-27T12:56:43.389Z
Modified
2026-06-18T03:54:59.006190210Z
Summary
vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

Add validation to ensure MSI is configured before accessing cdxirqs array in vfiocdxsetmsitrigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIODEVICESETIRQS with VFIOIRQSETDATABOOL or VFIOIRQSETDATANONE flags before ever setting up interrupts via VFIOIRQSETDATAEVENTFD.

The vfiocdxmsienable() function allocates the cdxirqs array and sets configmsi to 1 only when called through the EVENTFD path. The trigger loop (for DATABOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering.

This matches the protection used in the PCI VFIO driver where vfiopcisetmsitrigger() checks irq_is() before the trigger loop.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46034.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
848e447e000c41894ff931dc7c004fd42c8840f8
Fixed
51bf7638f33aece41cb3f4cbeb942cc52950e329
Fixed
5d6c349c9823eb819fed8b537b088cf38126018c
Fixed
338a736aaf15e8ba3635ce20b29af5b8fc15e66a
Fixed
5ea5880764cbb164afb17a62e76ca75dc371409d

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46034.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46034.json"