Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-46034

Description

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD.

The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering.

This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing validation in the Linux kernel's vfio/cdx driver allows userspace to trigger a NULL pointer dereference by sending interrupt requests before MSI configuration.

Vulnerability

The vulnerability resides in the vfio/cdx driver in the Linux kernel. The function vfio_cdx_set_msi_trigger() does not validate whether MSI interrupts have been configured before accessing the cdx_irqs array. The array is allocated and config_msi is set to 1 only when vfio_cdx_msi_enable() is called via the VFIO_IRQ_SET_DATA_EVENTFD path. However, userspace can call VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags without first setting up interrupts via EVENTFD, leading to a NULL pointer dereference. This affects Linux kernel versions prior to the fix commit [1].

Exploitation

An attacker with local access to a system using the vfio/cdx driver can exploit this by issuing a VFIO_DEVICE_SET_IRQS ioctl with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags without having previously configured MSI interrupts via VFIO_IRQ_SET_DATA_EVENTFD. No special privileges beyond the ability to interact with the VFIO device are required. The attacker does not need to be root if they have been granted access to the VFIO device (e.g., via user namespaces or device assignment). The exploit sequence is straightforward: open the VFIO device, call the ioctl with the trigger flags, causing the kernel to dereference a NULL pointer in the cdx_irqs array.

Impact

Successful exploitation results in a NULL pointer dereference in the kernel, leading to a system crash (denial of service). In some configurations, this could potentially be leveraged for privilege escalation if the NULL pointer dereference is exploitable, but the primary impact is denial of service. The vulnerability does not allow arbitrary code execution directly from the description, but a crash can disrupt system availability.

Mitigation

The fix is included in the Linux kernel commit [1] (stable commit 338a736aaf15e8ba3635ce20b29af5b8fc15e66a). Users should update to a kernel version containing this patch. The fix adds a check to ensure MSI is configured before accessing the cdx_irqs array, similar to the protection in the PCI VFIO driver. No workarounds are mentioned in the available references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ubuntu/Linux Kernelllm-fuzzy

Patches

5ea5880764cb

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPrasanna Kumar T S MApr 17, 2026Fixed in 7.1-rc1via kernel-cna

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 8f4402cec9c50f..c0eed065e8ef71 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -175,6 +175,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

51bf7638f33a

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPrasanna Kumar T S MApr 17, 2026Fixed in 6.12.86via kernel-cna

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 371a8ff01a2684..a588d6fc478bb2 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

5d6c349c9823

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPrasanna Kumar T S MApr 17, 2026Fixed in 6.18.27via kernel-cna

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 371a8ff01a2684..a588d6fc478bb2 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

338a736aaf15

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPrasanna Kumar T S MApr 17, 2026Fixed in 7.0.4via kernel-cna

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 0baa0a301eb252..6dfe0ced3bdd8a 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

338a736aaf15

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPrasanna Kumar T S MApr 17, 2026via nvd-ref

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 0baa0a301eb252..6dfe0ced3bdd8a 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

51bf7638f33a

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPrasanna Kumar T S MApr 17, 2026via nvd-ref

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 371a8ff01a2684..a588d6fc478bb2 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

5d6c349c9823

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPrasanna Kumar T S MApr 17, 2026via nvd-ref

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 371a8ff01a2684..a588d6fc478bb2 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

5ea5880764cb

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPrasanna Kumar T S MApr 17, 2026via nvd-ref

commit

1 file changed · +4 −1

drivers/vfio/cdx/intr.c+4 −1 modified

diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c
index 8f4402cec9c50f..c0eed065e8ef71 100644
--- a/drivers/vfio/cdx/intr.c
+++ b/drivers/vfio/cdx/intr.c
@@ -175,6 +175,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev,
 		return ret;
 	}
 
+	/* Ensure MSI is configured before accessing cdx_irqs */
+	if (!vdev->config_msi)
+		return -EINVAL;
+
 	for (i = start; i < start + count; i++) {
 		if (!vdev->cdx_irqs[i].trigger)
 			continue;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing validation that MSI is configured before accessing the cdx_irqs array in vfio_cdx_set_msi_trigger()."

Attack vector

An attacker with access to a VFIO CDX device can trigger a NULL pointer dereference by calling the `VFIO_DEVICE_SET_IRQS` ioctl with either `VFIO_IRQ_SET_DATA_BOOL` or `VFIO_IRQ_SET_DATA_NONE` flags without first having called it with `VFIO_IRQ_SET_DATA_EVENTFD` to set up interrupts. The trigger loop in `vfio_cdx_set_msi_trigger()` assumes `vdev->cdx_irqs` has been allocated, but no ordering enforcement exists [patch_id=2660259]. This is a userspace-to-kernel attack requiring only local access to the VFIO device file descriptor.

Affected code

The vulnerable function is `vfio_cdx_set_msi_trigger()` in `drivers/vfio/cdx/intr.c` [patch_id=2660259]. The function iterates over `vdev->cdx_irqs[i].trigger` without first verifying that the `cdx_irqs` array has been allocated, which only happens when `vdev->config_msi` is set to 1 by `vfio_cdx_msi_enable()`.

What the fix does

The patch adds a guard check `if (!vdev->config_msi) return -EINVAL;` at the top of `vfio_cdx_set_msi_trigger()`, before the loop that dereferences `vdev->cdx_irqs` [patch_id=2660259]. Since `vdev->config_msi` is only set to 1 by `vfio_cdx_msi_enable()` (which also allocates the `cdx_irqs` array), this check ensures the array is valid before any access. This mirrors the existing protection in the PCI VFIO driver where `vfio_pci_set_msi_trigger()` checks `irq_is()` before the trigger loop.

Preconditions

authAttacker must have access to a VFIO CDX device file descriptor (e.g., via VFIO passthrough).
inputAttacker must be able to issue the VFIO_DEVICE_SET_IRQS ioctl on that device.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000