VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-31561

CVE-2026-31561

Description

In the Linux kernel, the following vulnerability has been resolved:

x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask

Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine idea.

However, there's an issue when during boot FRED is initialized: first on the BSP and later on the APs. Thus, there's a window in time when exceptions cannot be handled.

This becomes particularly nasty when running as SEV-{ES,SNP} or TDX guests which, when they manage to trigger exceptions during that short window described above, triple fault due to FRED MSRs not being set up yet.

See Link tag below for a much more detailed explanation of the situation.

So, as a result, the commit in that Link URL tried to address this shortcoming by temporarily disabling CR4 pinning when an AP is not online yet.

However, that is a problem in itself because in this case, an attack on the kernel needs to only modify the online bit - a single bit in RW memory - and then disable CR4 pinning and then disable SM*P, leading to more and worse things to happen to the system.

So, instead, remove the FRED bit from the CR4 pinning mask, thus obviating the need to temporarily disable CR4 pinning.

If someone manages to disable FRED when poking at CR4, then idt_invalidate() would make sure the system would crash'n'burn on the first exception triggered, which is a much better outcome security-wise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A medium-severity flaw in x86 CPUs where FRED CR4 pinning during boot can cause triple faults in SEV/TDX guests, fixed by removing the FRED bit from the pin mask.

Vulnerability

Analysis

CVE-2026-31561 addresses a race condition in the Linux kernel's handling of the FRED (Flexible Return and Event Delivery) feature on x86 CPUs. The issue occurs because the CR4 pinned bits mask included the FRED bit, ensuring it remained set when other code modified CR4. During boot, FRED is initialized first on the BSP (bootstrap processor) and later on APs (application processors), creating a window where exceptions cannot be handled properly. In SEV-{ES,SNP} or TDX guest environments, triggering an exception during this window causes a triple fault, as FRED MSRs have not yet been set up [1][2].

Exploitation and

Attack Surface

A previous attempt to mitigate this by temporarily disabling CR4 pinning while an AP is not online introduced a different security issue: an attacker could modify a single bit in RW memory (the online bit) to disable CR4 pinning and subsequently disable SMEP/SMAP protections, enabling more severe attacks [3]. The fix removes the FRED bit from the CR4 pinning mask entirely, eliminating the need to temporarily disable pinning. If an attacker manages to clear FRED in CR4, the idt_invalidate() function ensures the system crashes on the first subsequent exception, which is a safer outcome than allowing privilege escalation [2][3].

Impact

Successful exploitation could lead to system instability (triple faults) in confidential computing environments (SEV, TDX), causing denial of service. The original fix's security downgrade (CR4 pinning disable) could also enable bypass of SMEP/SMAP, but the current patch prevents that vector. The CVSS score of 5.5 (Medium) reflects the local access required and primarily availability impact, though the complexity is low [1][2].

Mitigation

This vulnerability is fixed in Linux kernel commits d7853d9fe94a, 00d956dafa76, 411df123c017, and a6e14114684d (all leading to the same resolution) [1][2][3][4]. Users should update to kernels containing these patches. There is no workaround; the fix is part of ongoing mainline and stable kernel releases.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.9.1,<6.12.80
    • cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.