CVE-2026-31523
Race Condition in Linux nvme-pci Driver Causes Double Completions
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.168 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.131 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 5.0 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's nvme-pci driver. It involves the handling of polled queues, where a user can change the polled queue count at runtime. During a brief window when a reset occurs, a high priority (hipri) task may attempt to poll the queue before the block layer has updated the queue mappings. This creates a race condition with the now interrupt-driven queue, potentially causing double completions.
How can this vulnerability impact me? :
The vulnerability can lead to race conditions causing double completions in the NVMe queue handling. This may result in unexpected behavior or instability in the system's storage operations, potentially affecting data integrity or system reliability.