CRITICAL
dmaengine Descriptor UAF
CVE-2026-31436
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.
02KernelScan AI Analysis
Risk summary
A logic error in Intel IDXD DMA engine descriptor cleanup can cause use-after-free conditions, potentially leading to kernel memory corruption or crashes. This affects systems with Intel Data Streaming Accelerator hardware connected via PCIe and requires root privileges to exploit.
Vulnerability analysis
The bug occurs in llist_abort_desc() where the code incorrectly completes a stale 'found' descriptor instead of the current iteration variable 'd' when cleaning up a descriptor list. This can result in completing the wrong descriptor, leading to use-after-free, double completion, or descriptor leaks. The fix ensures each descriptor in the list is completed exactly once by using the correct loop variable. Attack surface is limited to systems with Intel IDXD PCIe hardware and requires root privileges to access DMA engine interfaces.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.80 | e21da2ad8844 |
| 6.18 | 6.18.21 | 82656e8daf8d |
| 6.19 | 6.19.11 | 0e4f43779d55 |
| mainline | 7.0 | e1c9866173c5 |