CVE-2026-31436
Use-After-Free in Linux dmaengine idxd Causes Descriptor Corruption
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for the dmaengine idxd issue in the llist_abort_desc() function.
The fix involves correcting the completion of descriptors to prevent NULL pointer dereferences, double completions, or descriptor leaks.
Applying the latest kernel patches or upgrading to the latest stable kernel release is recommended.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's dmaengine idxd component, specifically in the function llist_abort_desc(). The issue arises because at the end of this function, the code incorrectly completes a descriptor referred to as 'found' instead of the correct traversal cursor 'd' of the flist. This mistake can cause problems such as NULL pointer dereferences, double completion of descriptors, or descriptor leaks.
How can this vulnerability impact me? :
The vulnerability can lead to serious issues within the Linux kernel's dmaengine idxd subsystem. Specifically, it may cause NULL pointer dereferences, which can crash the system or cause instability. Double completion of descriptors might lead to unexpected behavior or corruption, and descriptor leaks could result in resource exhaustion or degraded performance.