CVE-2026-46036 Linux CVE debrief

Who should care

Organizations running Linux kernels with VFIO CDX support enabled, particularly those using device passthrough for virtualization or confidential computing workloads with untrusted guests. Cloud providers and enterprises with PCI/PCIe device assignment to VMs should prioritize patching.

Technical summary

The VFIO CDX driver in the Linux kernel lacked proper synchronization when handling VFIO_DEVICE_SET_IRQS ioctls. The vfio_cdx_set_msi_trigger() function reads vdev->config_msi and operates on vdev->cdx_irqs without serialization against concurrent ioctls. This race condition enables one thread to observe config_msi as set while another clears it and frees cdx_irqs, resulting in use-after-free. The fix adds a cdx_irqs_lock mutex to struct vfio_cdx_device, acquired in vfio_cdx_set_msi_trigger() to atomically protect config_msi tests and subsequent enable/disable/trigger operations across both ioctl and cleanup paths.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches once available for your distribution
• Verify vfio_cdx driver is not loaded on systems where CDX/PCIe device passthrough is not required
• Monitor vendor security advisories for backported fixes to long-term support kernels
• Review systems using VFIO for device passthrough to untrusted workloads as potential attack surface

Evidence notes

Vulnerability description and fix details sourced from official CVE record and NVD entry. Patch commits referenced in source metadata confirm the mutex-based serialization fix. No KEV listing or known ransomware campaign use identified.

Official resources