CVE-2026-46034
Awaiting Analysis Awaiting Analysis - Queue
NULL Pointer Dereference in Linux Kernel VFIO CDX Driver

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Fix NULL pointer dereference in interrupt trigger path Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD. The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering. This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46034
EUVD
EUVD-2026-32415
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 6.10 (inc) to 6.12.86 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by adding validation to ensure MSI is configured before accessing the cdx_irqs array in the vfio_cdx_set_msi_trigger() function.

Immediate mitigation steps include updating the Linux kernel to a version where this fix is applied.

This prevents userspace from triggering a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD.

Executive Summary

This vulnerability exists in the Linux kernel's vfio/cdx component. It involves a NULL pointer dereference in the interrupt trigger path caused by missing validation. Specifically, userspace can trigger this issue by calling VFIO_DEVICE_SET_IRQS with certain flags (VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE) before interrupts are properly set up via VFIO_IRQ_SET_DATA_EVENTFD.

The root cause is that the vfio_cdx_set_msi_trigger() function accesses the cdx_irqs array without verifying that MSI (Message Signaled Interrupts) has been configured. The cdx_irqs array and a configuration flag (config_msi) are only initialized when the EVENTFD path is used, but the trigger loop assumes this initialization has already occurred, leading to a NULL pointer dereference.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which typically results in a kernel crash or system instability. An attacker or malicious userspace program could exploit this by triggering the vulnerability, potentially causing denial of service (DoS) by crashing the system or disrupting normal operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46034. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart