CVE-2026-46034 Linux CVE debrief

Who should care

Organizations running Linux kernels with VFIO CDX support enabled, particularly those using CDX (Compute Express Link) devices with VFIO passthrough in virtualized or containerized environments.

Technical summary

The vulnerability is a NULL pointer dereference in the VFIO CDX driver's MSI interrupt handling. The cdx_irqs array is allocated only when MSI is enabled via the EVENTFD path, but the trigger path for DATA_BOOL/DATA_NONE flags did not verify this precondition. Userspace could trigger the dereference by calling VFIO_DEVICE_SET_IRQS with trigger flags before proper MSI setup. The fix adds a config_msi check before the trigger loop, consistent with the PCI VFIO driver's vfio_pci_set_msi_trigger() implementation.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable tree commits when available for your distribution
• Verify VFIO CDX driver is not exposed to untrusted userspace if patching is delayed
• Monitor distribution security advisories for backported fixes
• Review VFIO device access controls to limit exposure to privileged users only

Evidence notes

CVE published 2026-05-27T14:17:22.463Z; modified 2026-05-27T14:48:03.013Z. Four kernel.org stable tree commits provided as references. No CVSS score or severity assigned by NVD at time of disclosure; status 'Awaiting Analysis'.

Official resources