CVE-2026-31594
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to perform later. This leads to an oops when .allow_link fails or when .drop_link is performed. The following is an example oops of the former case:
Unable to handle kernel paging request at virtual address dead000000000108 [...] [dead000000000108] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] SMP [...] Call trace: pci_epc_remove_epf+0x78/0xe0 (P) pci_primary_epc_epf_link+0x88/0xa8 configfs_symlink+0x1f4/0x5a0 vfs_symlink+0x134/0x1d8 do_symlinkat+0x88/0x138 __arm64_sys_symlinkat+0x74/0xe0 [...]
Remove the helper, and drop pci_epc_put(). EPC device refcounting is tied to the configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A duplicate resource teardown in the Linux kernel's PCI endpoint NTB driver causes a NULL-pointer dereference and kernel oops.
Vulnerability
In the Linux kernel, the PCI endpoint function driver for NTB (pci-epf-vntb) contains a bug where epf_ntb_epc_destroy() performs a duplicate teardown of resources that the caller is expected to handle later. This double-free of EPC (Endpoint Controller) resources leads to a use-after-free condition, manifesting as a kernel oops when allow_link fails or when drop_link is invoked [1].
Exploitation
The vulnerability is triggered through the configfs interface used to manage PCI endpoint functions. An attacker with local access and the ability to create or manipulate configfs symbolic links can cause the kernel to call pci_primary_epc_epf_link(), which in turn invokes the flawed teardown path. No special privileges beyond the ability to interact with configfs are required, making this a local denial-of-service vector [1].
Impact
Successful exploitation results in a kernel panic (oops) due to a NULL-pointer dereference, as shown in the call trace: pci_epc_remove_epf followed by pci_primary_epc_epf_link. This crashes the system, leading to a denial of service. The oops occurs because the code attempts to access memory that has already been freed [1].
Mitigation
The fix removes the duplicate teardown helper and drops the premature pci_epc_put() call, relying instead on the proper refcounting tied to the configfs EPC group lifetime. The patch has been applied to the stable kernel tree [1]. Users should update to a kernel version containing the commit e238ab12556b or later.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/0da63230d3ec1ec5fcc443a2314233e95bfece54nvdPatch
- git.kernel.org/stable/c/478e776101592eb63298714e96823ef78a3295ecnvdPatch
- git.kernel.org/stable/c/73bf218de28d039126dc64281d2b47dd3c46a0a3nvdPatch
- git.kernel.org/stable/c/a7a3cab4d33fd8a8aed864c447d0d7c99e85404envdPatch
- git.kernel.org/stable/c/cec9ead73ab154a7953f6ab8dd5127e0d6bbf95anvdPatch
- git.kernel.org/stable/c/e238ab12556b00f3b4d8b870b32ba1e4f4d4ebc2nvdPatch
News mentions
0No linked articles in our index yet.