CVE-2026-46034 PUBLISHED

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD.

The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering.

This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 848e447e000c41894ff931dc7c004fd42c8840f8 to 51bf7638f33aece41cb3f4cbeb942cc52950e329 (excl.)
  • affected from 848e447e000c41894ff931dc7c004fd42c8840f8 to 5d6c349c9823eb819fed8b537b088cf38126018c (excl.)
  • affected from 848e447e000c41894ff931dc7c004fd42c8840f8 to 338a736aaf15e8ba3635ce20b29af5b8fc15e66a (excl.)
  • affected from 848e447e000c41894ff931dc7c004fd42c8840f8 to 5ea5880764cbb164afb17a62e76ca75dc371409d (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.10 is affected
  • unaffected from 0 to 6.10 (excl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References