{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31436", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.089Z", "datePublished": "2026-04-22T13:53:35.693Z", "dateUpdated": "2026-05-11T22:08:40.304Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:40.304Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()\n\nAt the end of this function, d is the traversal cursor of flist, but the\ncode completes found instead. This can lead to issues such as NULL pointer\ndereferences, double completion, or descriptor leaks.\n\nFix this by completing d instead of found in the final\nlist_for_each_entry_safe() loop."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/dma/idxd/submit.c"], "versions": [{"version": "aa8d18becc0c14aa3eb46d6d1b81450446e11b87", "lessThan": "e21da2ad8844585040fe4b82be1ad2fe99d40074", "status": "affected", "versionType": "git"}, {"version": "aa8d18becc0c14aa3eb46d6d1b81450446e11b87", "lessThan": "82656e8daf8de00935ae91b91bed43f4d6e0d644", "status": "affected", "versionType": "git"}, {"version": "aa8d18becc0c14aa3eb46d6d1b81450446e11b87", "lessThan": "0e4f43779d550e559be13a5cdb763bad92c4cc99", "status": "affected", "versionType": "git"}, {"version": "aa8d18becc0c14aa3eb46d6d1b81450446e11b87", "lessThan": "e1c9866173c5f8521f2d0768547a01508cb9ff27", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/dma/idxd/submit.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e21da2ad8844585040fe4b82be1ad2fe99d40074"}, {"url": "https://git.kernel.org/stable/c/82656e8daf8de00935ae91b91bed43f4d6e0d644"}, {"url": "https://git.kernel.org/stable/c/0e4f43779d550e559be13a5cdb763bad92c4cc99"}, {"url": "https://git.kernel.org/stable/c/e1c9866173c5f8521f2d0768547a01508cb9ff27"}], "title": "dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()\n\nAt the end of this function, d is the traversal cursor of flist, but the\ncode completes found instead. This can lead to issues such as NULL pointer\ndereferences, double completion, or descriptor leaks.\n\nFix this by completing d instead of found in the final\nlist_for_each_entry_safe() loop."}], "id": "CVE-2026-31436", "lastModified": "2026-04-27T14:16:38.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:36.843", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0e4f43779d550e559be13a5cdb763bad92c4cc99"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/82656e8daf8de00935ae91b91bed43f4d6e0d644"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e1c9866173c5f8521f2d0768547a01508cb9ff27"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e21da2ad8844585040fe4b82be1ad2fe99d40074"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()", "id": "2460678", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460678"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-910", "details": ["A flaw was found in the Linux kernel's dmaengine subsystem, specifically within the idxd driver. This vulnerability occurs due to incorrect descriptor completion in the `llist_abort_desc()` function. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks, which can result in a denial of service."], "name": "CVE-2026-31436", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31436\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31436\nhttps://lore.kernel.org/linux-cve-announce/2026042242-CVE-2026-31436-7ac7@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aa8d18becc0c14aa3eb46d6d1b81450446e11b87,e21da2ad8844585040fe4b82be1ad2fe99d40074)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aa8d18becc0c14aa3eb46d6d1b81450446e11b87,82656e8daf8de00935ae91b91bed43f4d6e0d644)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aa8d18becc0c14aa3eb46d6d1b81450446e11b87,0e4f43779d550e559be13a5cdb763bad92c4cc99)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aa8d18becc0c14aa3eb46d6d1b81450446e11b87,e1c9866173c5f8521f2d0768547a01508cb9ff27)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:11:05.550064+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the idxd descriptor completion fix; this replaces the buggy logic with a safe completion of the correct descriptor.", "If a patch is unavailable for the current platform, temporarily unload or blacklist the idxd module with \"modprobe -r idxd\" or add a modprobe option to disable it, reducing the attack surface until a kernel update can be applied.", "Consider disabling or restricting access to the DMA subsystem for non\u2011trusted applications, and monitor system logs for signs of anomalous DMA activity that could indicate exploitation attempts."], "summary": {"action": "Patch Kernel", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux kernel; the CNA entry lists \"Linux:Linux\" with no specific versions provided. Based on the description, it is inferred that any kernel build containing the idxd driver before the patch is vulnerable. System administrators should review the kernel version in use and determine if it predates the commit that fixes the bug.", "description_and_impact": "This vulnerability resides in the Linux kernel\u2019s DMA engine (idxd) subsystem and involves an incorrect completion of DMA descriptors during the llist_abort_desc() operation. The logic error causes the loop to complete the wrong descriptor, which can result in a NULL pointer dereference, double completion of a descriptor, or leakage of descriptors that are still in use. These flaws can destabilize the kernel, trigger a crash, or cause the DMA engine to misbehave, leading to unresponsive or halted services.", "risk_and_exploitability": "The CVSS score is 9.8, and the EPSS indicates a low exploitation probability (<1%). The vulnerability is not listed in CISA\u2019s KEV catalog, indicating no publicly known exploit at the time of this assessment. The likely attack vector is a local compromise that can supply malformed or crafted DMA descriptors to the idxd driver, such as a privileged user or a malicious application that can interact with the DMA subsystem. While remote exploitation is unlikely without local access, an attacker who gains sufficient privileges could force a kernel panic or degrade performance, creating a denial\u2011of\u2011service window."}}}}, "created": "2026-04-22T15:30:20.459236+00:00", "updated": "2026-04-28T21:15:39.681563+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}