CVE-2026-31523 Overview
A race condition vulnerability has been identified in the Linux kernel's NVMe-PCI driver. The vulnerability exists in the polled queue handling mechanism, where a user can change the polled queue count at runtime. During a reset operation, there is a brief window where a high-priority (hipri) task may attempt to poll a queue before the block layer has updated the queue maps. This race condition between the polling operation and the now interrupt-driven queue may result in double completions.
Critical Impact
This race condition in the NVMe-PCI subsystem can lead to double completions, potentially causing system instability, data corruption, or denial of service conditions on systems using NVMe storage devices with polling enabled.
Affected Products
- Linux Kernel (NVMe-PCI subsystem)
- Systems using NVMe storage devices with polled queues
- Linux distributions with affected kernel versions
Discovery Timeline
- 2026-04-22 - CVE-2026-31523 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31523
Vulnerability Analysis
This vulnerability is a race condition in the Linux kernel's NVMe-PCI driver, specifically in the polled queue management code. The issue arises from the ability for users to modify the polled queue count at runtime, creating a synchronization gap during reset operations.
When the system undergoes a reset, there exists a timing window where the block layer's queue maps have not yet been updated to reflect the new queue configuration. During this window, a high-priority task may attempt to poll a queue that has transitioned from polling mode to interrupt-driven mode. Since the task still believes the queue is polled while it's actually interrupt-driven, both the polling mechanism and the interrupt handler may attempt to complete the same I/O operation, resulting in double completions.
Double completions in the kernel's block layer can lead to use-after-free conditions, memory corruption, or kernel panics, making this a significant stability and potential security concern for systems utilizing NVMe storage with polling capabilities.
Root Cause
The root cause lies in insufficient synchronization between the user-configurable polled queue count changes and the block layer's queue map updates during reset operations. The NVMe-PCI driver does not properly ensure that high-priority polling tasks cannot access queues that are transitioning between polled and interrupt-driven modes.
Attack Vector
The vulnerability can be triggered through runtime modification of polled queue counts combined with timing-sensitive operations that exploit the reset window. An attacker with local access and the ability to modify NVMe queue parameters could potentially trigger the race condition to cause system instability or denial of service.
The exploitation scenario involves:
- Modifying the polled queue count at runtime
- Triggering a device reset
- Scheduling high-priority I/O tasks that poll the transitioning queues
- Racing the queue state change to achieve double completions
Detection Methods for CVE-2026-31523
Indicators of Compromise
- Unexpected kernel panics or system crashes related to NVMe subsystem
- Double completion warnings or errors in kernel logs (dmesg)
- NVMe driver error messages indicating queue state inconsistencies
- System instability during NVMe device resets or queue reconfiguration
Detection Strategies
- Monitor kernel logs for NVMe-PCI driver errors and warnings related to queue completions
- Implement kernel tracing (ftrace) on NVMe polling functions to detect anomalous completion patterns
- Deploy kernel crash dump analysis to identify double-free or use-after-free conditions in NVMe code paths
- Use perf or BPF-based tools to monitor NVMe queue transitions during reset operations
Monitoring Recommendations
- Enable verbose NVMe logging in production environments with polled queues
- Configure crash dump collection (kdump) to capture kernel state during potential exploitation
- Implement system monitoring for unexpected NVMe device resets or queue count changes
- Review audit logs for unauthorized modifications to NVMe device parameters
How to Mitigate CVE-2026-31523
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Restrict runtime modification of NVMe polled queue counts to authorized administrators only
- Consider disabling polled queues temporarily on critical systems until patched
- Monitor systems for signs of exploitation or instability
Patch Information
The Linux kernel development team has released patches to address this vulnerability. Multiple commits have been applied to stable kernel branches:
- Kernel Commit 0685dd9c
- Kernel Commit 166e31d7
- Kernel Commit 6f12734c
- Kernel Commit 965e2c94
- Kernel Commit acbc72dd
- Kernel Commit b222680b
- Kernel Commit b96c7b25
- Kernel Commit ba167d59
The patches ensure proper synchronization between polled queue state changes and the block layer's queue map updates, preventing high-priority tasks from polling queues during the transition window.
Workarounds
- Disable NVMe polled I/O by setting the poll_queues module parameter to 0: nvme_core.poll_queues=0
- Avoid runtime modification of polled queue counts on production systems
- Implement access controls to prevent unauthorized users from modifying NVMe device parameters
- Schedule NVMe configuration changes during maintenance windows with reduced system load
# Configuration example
# Disable NVMe polled queues as a temporary mitigation
# Add to kernel boot parameters or modprobe configuration
echo "options nvme_core poll_queues=0" | sudo tee /etc/modprobe.d/nvme-disable-polling.conf
# Reload NVMe module if possible, or schedule a reboot
sudo modprobe -r nvme && sudo modprobe nvme
# Verify polling is disabled
cat /sys/module/nvme_core/parameters/poll_queues
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
