CVE-2026-31595
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
Disable the delayed work before clearing BAR mappings and doorbells to avoid running the handler after resources have been torn down.
Unable to handle kernel paging request at virtual address ffff800083f46004 [...] Internal error: Oops: 0000000096000007 [#1] SMP [...] Call trace: epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) process_one_work+0x154/0x3b0 worker_thread+0x2c8/0x400 kthread+0x148/0x210 ret_from_fork+0x10/0x20
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel's PCI endpoint NTB driver (pci-epf-vntb) occurs when the delayed work handler runs after resource cleanup.
Root
Cause
In the Linux kernel's PCI endpoint NTB driver (pci-epf-vntb), the epf_ntb_epc_cleanup function clears BAR mappings and doorbells without first stopping the delayed work queue (cmd_handler). This creates a race condition where the epf_ntb_cmd_handler work item can execute after the resources it accesses have been freed, leading to a use-after-free [1][2][3][4].
Exploitation
The vulnerability is triggered during device teardown or reconfiguration. An attacker with local access and the ability to trigger PCI endpoint removal or reset can cause the kernel to access freed memory. No special privileges beyond local user access are required, as the race occurs in normal driver cleanup paths [1][2][3][4].
Impact
Successful exploitation results in a kernel crash (Oops) due to an invalid memory access, as shown by the call trace in the CVE description. This can lead to a denial of service (system panic) or potentially allow an attacker to escalate privileges if the freed memory is reallocated and controlled [1][2][3][4].
Mitigation
The fix is to call cancel the delayed work (cancel_delayed_work) before tearing down resources in epf_ntb_epc_cleanup`. The patch has been applied to the Linux kernel stable branches and is available in commits [1][2][3][4]. Users should update to a kernel version containing the fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/5999067140c67530a6cb6f41a8471596e60452cbnvdPatch
- git.kernel.org/stable/c/6773cc24c004930903a57761132c1e7728907f8fnvdPatch
- git.kernel.org/stable/c/9921cce25bfe4021f6e55ca995351eb967165297nvdPatch
- git.kernel.org/stable/c/ceb73484e7204f661f770069ecdf35f6e941879cnvdPatch
- git.kernel.org/stable/c/d799984233a50abd2667a7d17a9a710a3f10ebe2nvdPatch
- git.kernel.org/stable/c/fbb6c353fa2fb5f5f990eda034a1074b0356127envdPatch
News mentions
0No linked articles in our index yet.