CVE-2026-46290
Description
Linux kernel vulnerability allows buggy firmware to cause unrecoverable system hangs during EFI runtime calls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel vulnerability allows buggy firmware to cause unrecoverable system hangs during EFI runtime calls.
Vulnerability
A change in the Linux kernel's FPU handling (commit d02198550423) caused kernel_fpu_begin() to use local_bh_disable() instead of preempt_disable(). This incorrectly sets SOFTIRQ_OFFSET in the preempt_count, making in_interrupt() return true in normal task contexts. The graceful EFI page fault handler efi_crash_gracefully_on_page_fault() uses in_interrupt() to detect interrupt contexts and bail out. With SOFTIRQ_OFFSET set, this handler always bails out, preventing proper handling of EFI firmware page faults and leading to a system freeze. This affects systems with firmware that triggers page faults during EFI runtime calls, such as accessing unmapped memory in GetTime().
Exploitation
An attacker with the ability to trigger a page fault during an EFI runtime service call, specifically on systems with buggy firmware that causes faults when accessing unmapped memory (e.g., during GetTime()), can exploit this vulnerability. The vulnerability is triggered when the FPU code path's local_bh_disable() is active, causing in_interrupt() to incorrectly return true. This leads the efi_crash_gracefully_on_page_fault() handler to bail out, escalating to die() and panic(), resulting in a system freeze.
Impact
Successful exploitation results in a hard system freeze, causing an unrecoverable hang. Instead of the intended graceful EFI_ABORTED recovery for firmware page faults, the system enters a panic state due to the misidentification of the fault context. This leads to a denial of service by rendering the system completely unresponsive.
Mitigation
This vulnerability has been resolved in the Linux kernel. The fix replaces in_interrupt() with !in_task() in the graceful page fault handler, correctly identifying interrupt and NMI faults while avoiding false positives from the FPU code path. The specific fixed version is not detailed in the available references, but the fix is available in the Linux kernel source tree [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
6088f65e20608x86/efi: Fix graceful fault handling after FPU softirq changes
1 file changed · +1 −2
arch/x86/platform/efi/quirks.c+1 −2 modifieddiff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index df24ffc6105d6..c8f5e094ed9d7 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -770,7 +770,7 @@ void efi_crash_gracefully_on_page_fault(unsigned long phys_addr) * If we get an interrupt/NMI while processing an EFI runtime service * then this is a regular OOPS, not an EFI failure. */ - if (in_interrupt()) + if (!in_task()) return; /* -- cgit 1.3-korg
db155b86d152x86/efi: Fix graceful fault handling after FPU softirq changes
1 file changed · +1 −2
arch/x86/platform/efi/quirks.c+1 −2 modifieddiff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index aa6b26c9cb308..1f234c33c85a7 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -771,7 +771,7 @@ void efi_crash_gracefully_on_page_fault(unsigned long phys_addr, * If we get an interrupt/NMI while processing an EFI runtime service * then this is a regular OOPS, not an EFI failure. */ - if (in_interrupt()) + if (!in_task()) return; /* -- cgit 1.3-korg
22b365ba1af3x86/efi: Fix graceful fault handling after FPU softirq changes
1 file changed · +1 −2
arch/x86/platform/efi/quirks.c+1 −2 modifieddiff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index aa6b26c9cb308..1f234c33c85a7 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -771,7 +771,7 @@ void efi_crash_gracefully_on_page_fault(unsigned long phys_addr, * If we get an interrupt/NMI while processing an EFI runtime service * then this is a regular OOPS, not an EFI failure. */ - if (in_interrupt()) + if (!in_task()) return; /* -- cgit 1.3-korg
088f65e20608x86/efi: Fix graceful fault handling after FPU softirq changes
1 file changed · +1 −2
arch/x86/platform/efi/quirks.c+1 −2 modifieddiff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index df24ffc6105d6..c8f5e094ed9d7 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -770,7 +770,7 @@ void efi_crash_gracefully_on_page_fault(unsigned long phys_addr) * If we get an interrupt/NMI while processing an EFI runtime service * then this is a regular OOPS, not an EFI failure. */ - if (in_interrupt()) + if (!in_task()) return; /* -- cgit 1.3-korg
22b365ba1af3x86/efi: Fix graceful fault handling after FPU softirq changes
1 file changed · +1 −2
arch/x86/platform/efi/quirks.c+1 −2 modifieddiff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index aa6b26c9cb308..1f234c33c85a7 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -771,7 +771,7 @@ void efi_crash_gracefully_on_page_fault(unsigned long phys_addr, * If we get an interrupt/NMI while processing an EFI runtime service * then this is a regular OOPS, not an EFI failure. */ - if (in_interrupt()) + if (!in_task()) return; /* -- cgit 1.3-korg
db155b86d152x86/efi: Fix graceful fault handling after FPU softirq changes
1 file changed · +1 −2
arch/x86/platform/efi/quirks.c+1 −2 modifieddiff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index aa6b26c9cb308..1f234c33c85a7 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -771,7 +771,7 @@ void efi_crash_gracefully_on_page_fault(unsigned long phys_addr, * If we get an interrupt/NMI while processing an EFI runtime service * then this is a regular OOPS, not an EFI failure. */ - if (in_interrupt()) + if (!in_task()) return; /* -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"A change in FPU handling incorrectly flags interrupt context during EFI runtime calls, causing page faults to be mishandled."
Attack vector
An attacker can trigger this vulnerability by causing a page fault during an EFI runtime service call. This can occur on systems with buggy firmware that, for example, accesses unmapped memory during calls like GetTime(). The vulnerability is triggered when the kernel's FPU handling, specifically `kernel_fpu_begin()` which uses `local_bh_disable()`, sets `SOFTIRQ_OFFSET`. This causes `in_interrupt()` to incorrectly return true in a normal task context.
Affected code
The vulnerability resides in the `efi_crash_gracefully_on_page_fault()` function within `arch/x86/platform/efi/quirks.c`. The change involves modifying the condition that determines whether to bail out of the graceful fault handling mechanism. Specifically, the check `if (in_interrupt())` was replaced with `if (!in_task())` [patch_id=5239525].
What the fix does
The patch replaces the check `if (in_interrupt())` with `if (!in_task())` in the `efi_crash_gracefully_on_page_fault()` function [patch_id=5239525]. This change correctly identifies when the system is not in a task context, preserving the original intent of bailing out for actual interrupts or NMI faults. It avoids falsely triggering the bail-out logic due to the `SOFTIRQ_OFFSET` set by the FPU code path, thus allowing EFI firmware page faults to be handled gracefully.
Preconditions
- inputA page fault must occur during an EFI runtime service call.
- configThe system must be running on hardware with firmware that triggers page faults during EFI runtime calls, such as accessing unmapped memory in GetTime().
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026