CVE-2026-46036

Source
https://cve.org/CVERecord?id=CVE-2026-46036
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46036.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46036
Downstream
Related
Published
2026-05-27T12:56:46.381Z
Modified
2026-06-18T03:54:56.175640088Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Serialize VFIODEVICESET_IRQS with a per-device mutex

vfiocdxsetmsitrigger() reads vdev->configmsi and operates on the vdev->cdxirqs array based on its value, but provides no serialization against concurrent VFIODEVICESETIRQS ioctls. Two callers can race such that one observes configmsi as set while another clears it and frees cdxirqs via vfiocdxmsidisable(), resulting in a use-after-free of the cdx_irqs array.

Add a cdxirqslock mutex to struct vfiocdxdevice and acquire it in vfiocdxsetmsitrigger(), which is the single chokepoint through which all updates to configmsi, cdxirqs, and msicount flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of configmsi atomic with the subsequent enable, disable, or trigger operations.

Drop the pre-call !cdxirqs test from vfiocdxirqscleanup() as part of this change: the optimization it provided is redundant with the !configmsi early-return inside vfiocdxmsidisable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46036.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
848e447e000c41894ff931dc7c004fd42c8840f8
Fixed
ddf96e23c366c566283fce8377928851fa7f5e81
Fixed
7b436ade16cc81095d79b79f8efa3af0a4f5c5a2
Fixed
7530f34ec0ca1438d45a75dcb43183a1cc92eced
Fixed
670e8864b1a218d72f08db40d0103adf38fa1d9b

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46036.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46036.json"