In the Linux kernel, the following vulnerability has been resolved:
vfio/cdx: Serialize VFIODEVICESET_IRQS with a per-device mutex
vfiocdxsetmsitrigger() reads vdev->configmsi and operates on the vdev->cdxirqs array based on its value, but provides no serialization against concurrent VFIODEVICESETIRQS ioctls. Two callers can race such that one observes configmsi as set while another clears it and frees cdxirqs via vfiocdxmsidisable(), resulting in a use-after-free of the cdx_irqs array.
Add a cdxirqslock mutex to struct vfiocdxdevice and acquire it in vfiocdxsetmsitrigger(), which is the single chokepoint through which all updates to configmsi, cdxirqs, and msicount flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of configmsi atomic with the subsequent enable, disable, or trigger operations.
Drop the pre-call !cdxirqs test from vfiocdxirqscleanup() as part of this change: the optimization it provided is redundant with the !configmsi early-return inside vfiocdxmsidisable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46036.json"
}