CVE-2026-31436 Linux CVE debrief

Who should care

Organizations running Linux kernels 6.8+ with Intel Data Streaming Accelerator (IDXD) hardware enabled; cloud providers offering bare-metal or virtualized instances with DSA/IDXD passthrough; HPC environments utilizing Intel DSA for memory operations; kernel maintainers and distribution vendors packaging IDXD driver support

Technical summary

The `llist_abort_desc()` function in `drivers/dma/idxd/` incorrectly completes the `found` descriptor instead of the traversal cursor `d` in its final cleanup loop. This logic error can trigger NULL pointer dereferences when `found` is NULL, cause double-completion if `found` points to an already-completed descriptor, or leak descriptors if the actual cursor `d` is never completed. The bug affects the Intel Data Streaming Accelerator (IDXD) driver's abort path, which is invoked during error handling or device teardown scenarios.

Defensive priority

critical

Recommended defensive actions

• Apply kernel patches from stable branches: 6.12.80 or later, 6.18.21 or later, 6.19.11 or later, or 7.0-rc7 or later
• Reboot systems after kernel update to ensure patched code is active
• Verify IDXD driver is not loaded on unpatched systems if immediate patching is not feasible
• Monitor kernel logs for NULL pointer dereference or descriptor-related errors in dmaengine_idxd
• Review systems utilizing Intel Data Streaming Accelerator (IDXD) for DMA operations as priority patching targets

Evidence notes

Vulnerability description and patch references sourced from NVD. CWE-476 (NULL Pointer Dereference) assigned by NVD. Affected version ranges derived from CPE criteria in source data. CVSS vector confirms network-reachable attack surface with no privileges required.

Official resources