{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31468", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.097Z", "datePublished": "2026-04-22T13:53:57.583Z", "dateUpdated": "2026-04-22T13:53:57.583Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:53:57.583Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Fix double free in dma-buf feature\n\nThe error path through vfio_pci_core_feature_dma_buf() ignores its\nown advice to only use dma_buf_put() after dma_buf_export(), instead\nfalling through the entire unwind chain. In the unlikely event that\nwe encounter file descriptor exhaustion, this can result in an\nunbalanced refcount on the vfio device and double free of allocated\nobjects.\n\nAvoid this by moving the \"put\" directly into the error path and return\nthe errno rather than entering the unwind chain."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/pci/vfio_pci_dmabuf.c"], "versions": [{"version": "5d74781ebc86c5fa9e9d6934024c505412de9b52", "lessThan": "83ad334afc9a645cef1062f5346526b1e36d6516", "status": "affected", "versionType": "git"}, {"version": "5d74781ebc86c5fa9e9d6934024c505412de9b52", "lessThan": "e98137f0a874ab36d0946de4707aa48cb7137d1c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/pci/vfio_pci_dmabuf.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/83ad334afc9a645cef1062f5346526b1e36d6516"}, {"url": "https://git.kernel.org/stable/c/e98137f0a874ab36d0946de4707aa48cb7137d1c"}], "title": "vfio/pci: Fix double free in dma-buf feature", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Fix double free in dma-buf feature\n\nThe error path through vfio_pci_core_feature_dma_buf() ignores its\nown advice to only use dma_buf_put() after dma_buf_export(), instead\nfalling through the entire unwind chain. In the unlikely event that\nwe encounter file descriptor exhaustion, this can result in an\nunbalanced refcount on the vfio device and double free of allocated\nobjects.\n\nAvoid this by moving the \"put\" directly into the error path and return\nthe errno rather than entering the unwind chain."}], "id": "CVE-2026-31468", "lastModified": "2026-04-22T14:16:43.143", "metrics": {}, "published": "2026-04-22T14:16:43.143", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/83ad334afc9a645cef1062f5346526b1e36d6516"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e98137f0a874ab36d0946de4707aa48cb7137d1c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5d74781ebc86c5fa9e9d6934024c505412de9b52,83ad334afc9a645cef1062f5346526b1e36d6516)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5d74781ebc86c5fa9e9d6934024c505412de9b52,e98137f0a874ab36d0946de4707aa48cb7137d1c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T19:01:15.249887+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the fix introduced by commit 83ad334afc9a645cef1062f5346526b1e36d6516 or later.", "As a temporary measure, disable or limit the use of VFIO PCI devices that rely on dma-buf usage to prevent file descriptor exhaustion.", "Monitor kernel logs for panic indications and configure automatic reboot or failover to minimize disruption."], "summary": {"action": "Patch", "impact": "Memory corruption potentially leading to denial of service or privilege escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects all Linux kernel versions that include the buggy vfio_pci code and have not yet applied the commit that moves the dma_buf_put() into the error path. Known affected vendors are any Linux distributions that ship the stock kernel. No specific version list is provided, so all current kernels prior to the fix are potentially impacted.", "description_and_impact": "The Linux kernel contains a double free bug in the vfio_pci_core_feature_dma_buf() path. When a VFIO PCI device runs out of file descriptors, the error handling bypasses a proper dma_buf_put(), causing the device\u2019s reference count to become unbalanced. This unbalanced refcount can lead to multiple frees of the same memory region, corrupting kernel memory. If an attacker can trigger this scenario, they may cause a kernel panic or potentially leverage the memory corruption to gain higher privilege or execute arbitrary code.", "risk_and_exploitability": "The CVSS score is not listed, and no EPSS score is available, so the exact severity cannot be quantified. The vulnerability is not included in CISA\u2019s KEV catalog, thus no evidence of active exploitation. Based on the description, it is inferred that exploiting the double free would require local access to a VFIO PCI device that can exhaust file descriptors, implying the attack vector is local. Nonetheless, the potential for kernel memory corruption could lead to denial of service or privilege escalation, making the risk significant."}}}}, "created": "2026-04-22T17:00:11.728429+00:00", "updated": "2026-04-22T19:15:24.476300+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}