CVE-2026-31436 PUBLISHED

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

Assigner: Linux
Reserved: 09.03.2026 Published: 22.04.2026 Updated: 22.04.2026

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.

Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from aa8d18becc0c14aa3eb46d6d1b81450446e11b87 to e21da2ad8844585040fe4b82be1ad2fe99d40074 (excl.) affected from aa8d18becc0c14aa3eb46d6d1b81450446e11b87 to 82656e8daf8de00935ae91b91bed43f4d6e0d644 (excl.) affected from aa8d18becc0c14aa3eb46d6d1b81450446e11b87 to 0e4f43779d550e559be13a5cdb763bad92c4cc99 (excl.) affected from aa8d18becc0c14aa3eb46d6d1b81450446e11b87 to e1c9866173c5f8521f2d0768547a01508cb9ff27 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.8 is affected unaffected from 0 to 6.8 (excl.) unaffected from 6.12.80 to 6.12.* (incl.) unaffected from 6.18.21 to 6.18.* (incl.) unaffected from 6.19.11 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

CVE-2026-31436 PUBLISHED

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

Product Status

References