HIGH
dmaengine IDXD UAF
CVE-2026-31442
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible invalid memory access after FLR In the case that the first Function Level Reset (FLR) concludes correctly, but in the second FLR the scratch area for the saved configuration cannot be allocated, it's possible for a invalid memory access to happen. Always set the deallocated scratch area to NULL after FLR completes.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger a use-after-free/double-free vulnerability in the Intel IDXD DMA engine driver during Function Level Reset (FLR) error recovery. This leads to kernel heap memory corruption (integrity impact) and can cause kernel panics (availability impact), with limited potential to leak freed heap data (confidentiality impact) on systems with Intel DSA/IAA hardware.
Vulnerability analysis
The vulnerability exists in the IDXD driver's FLR completion path. When the first FLR completes, idxd->idxd_saved is kfree'd but not nulled. If a second FLR occurs and allocation of the scratch area fails, the stale dangling pointer is accessed again, resulting in an invalid memory access (use-after-free or double-free). The fix adds a single line to set idxd->idxd_saved = NULL after kfree(). The attack surface is local: an attacker must be able to interact with the IDXD device (e.g., via a userspace work queue) to induce the error conditions that trigger repeated FLR handling.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.21 | 504c0e675100 |
| 6.19 | 6.19.11 | 867d0c801f21 |
| mainline | 7.0 | d6077df7b75d |