CVE-2026-31442

/* * Conceptual PoC for CVE-2026-31442 * This C code simulates the logic flaw in the idxd driver. * The vulnerability occurs when a deallocated pointer is not set to NULL, * leading to invalid access if a subsequent reallocation fails. */ #include <stdio.h> #include <stdlib.h> #include <string.h> typedef struct { int config_data; } device_config; device_config *scratch_area = NULL; // Simulates the vulnerable FLR (Function Level Reset) process void vulnerable_reset_sequence() { printf("[+] Starting First FLR...\n"); // First FLR: Allocation succeeds scratch_area = (device_config *)malloc(sizeof(device_config)); if (scratch_area) { scratch_area->config_data = 0x1234; printf("[+] First FLR: Scratch area allocated at %p\n", (void*)scratch_area); } // Simulate FLR completion and deallocation printf("[+] First FLR Complete. Freeing scratch area...\n"); free(scratch_area); // VULNERABILITY: The pointer is not set to NULL here. // scratch_area = NULL; <--- Missing fix printf("[-] Starting Second FLR...\n"); // Second FLR: Simulate allocation failure (e.g., memory pressure) // Force failure for demonstration device_config *new_area = (device_config *)malloc(sizeof(device_config)); if (new_area == NULL) { printf("[-] Second FLR: Allocation failed!\n"); // The code might check if scratch_area exists before trying to restore/validate // Since it was not NULLed, this condition passes, but the memory is invalid. if (scratch_area != NULL) { printf("[!] CRASH: Attempting to access invalid memory at %p\n", (void*)scratch_area); // This would cause a Use-After-Free or invalid access in kernel context int data = scratch_area->config_data; printf("Data: %d\n", data); // Unreachable in real crash scenario } } else { scratch_area = new_area; } } int main() { vulnerable_reset_sequence(); return 0; }

{"cve": {"id": "CVE-2026-31442", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:37.703", "lastModified": "2026-05-07T19:28:27.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible invalid memory access after FLR\n\nIn the case that the first Function Level Reset (FLR) concludes\ncorrectly, but in the second FLR the scratch area for the saved\nconfiguration cannot be allocated, it's possible for a invalid memory\naccess to happen.\n\nAlways set the deallocated scratch area to NULL after FLR completes."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.21", "matchCriteriaId": "A92793EC-8117-409C-996C-47A04124C722"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/504c0e6751001ac46917c73e703f2b1b92cfc026", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/867d0c801f21370d561420fa32f2ea1a7dc3a22d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d6077df7b75d26e4edf98983836c05d00ebabd8d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}