CVE-2026-31561 Overview
CVE-2026-31561 is a vulnerability in the Linux kernel affecting the x86/cpu subsystem related to the CR4 control register pinned bits mask and the FRED (Flexible Return and Event Delivery) feature. The vulnerability creates a timing window during boot when exceptions cannot be properly handled, particularly impacting systems running as SEV-ES, SEV-SNP, or TDX guests, which can lead to triple faults and system crashes.
The core issue stems from a design flaw where the FRED CR4 bit was added to the CR4 pinned bits mask, creating a problematic initialization sequence between the BSP (Bootstrap Processor) and APs (Application Processors). An earlier fix attempted to address this by temporarily disabling CR4 pinning when an AP is not online, but this introduced a security weakness where an attacker could manipulate the online bit in RW memory to disable CR4 pinning and subsequently disable SM*P protections.
Critical Impact
Local attackers with low privileges can cause denial of service through system crashes. The vulnerability affects systems using FRED on x86 architecture, particularly impacting confidential computing environments like SEV-ES, SEV-SNP, and TDX guests.
Affected Products
- Linux Kernel versions 6.9.x
- Linux Kernel version 7.0 (rc1 through rc7)
- Linux Kernel versions prior to the security patch
Discovery Timeline
- April 24, 2026 - CVE-2026-31561 published to NVD
- April 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31561
Vulnerability Analysis
This vulnerability affects the CR4 control register handling in the Linux kernel's x86/cpu subsystem. The CR4 register contains critical CPU control flags including those for Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP). The FRED feature introduces new exception handling mechanisms that require specific MSR (Model-Specific Register) configurations during processor initialization.
The fundamental issue lies in the boot sequence timing between the Bootstrap Processor (BSP) and Application Processors (APs). When FRED initialization occurs on the BSP first, a window exists where APs cannot properly handle exceptions because the FRED MSRs have not yet been configured. This window is particularly dangerous for confidential computing environments running as SEV-ES, SEV-SNP, or TDX guests, where exceptions during this period result in triple faults.
A prior attempted fix introduced a new security concern: by temporarily disabling CR4 pinning when an AP is not online, an attacker who can modify the online bit (located in RW memory) gains the ability to disable CR4 pinning entirely. This opens the door to disabling SM*P protections, leading to potential privilege escalation or further system compromise.
Root Cause
The root cause is the inclusion of the X86_CR4_FRED bit in the CR4 pinned bits mask without properly accounting for the asynchronous nature of processor initialization during system boot. The CR4 pinning mechanism was designed to prevent unauthorized modifications to critical control register bits, but the FRED initialization sequence creates a temporal gap where this protection becomes problematic.
When exceptions occur during the window between BSP FRED initialization and AP FRED initialization, the system lacks proper exception handling infrastructure, causing catastrophic failures in virtualized environments that rely on specific exception delivery mechanisms.
Attack Vector
The vulnerability requires local access to the system with low-level privileges. An attacker could exploit this vulnerability by:
- Targeting systems during boot or processor hotplug events
- Manipulating the processor online status bit in memory
- Forcing exception conditions during the vulnerable initialization window
- Leveraging the temporary CR4 pinning bypass to modify protected control register bits
The attack is particularly concerning because it targets a single bit in RW memory, making it a relatively low-complexity exploit path once local access is achieved. The resolution removes the FRED bit from the CR4 pinning mask entirely, ensuring that if FRED is disabled through CR4 manipulation, the idt_invalidate() function will cause the system to crash on the first exception, providing a fail-secure outcome.
Detection Methods for CVE-2026-31561
Indicators of Compromise
- Unexpected system crashes or triple faults during boot sequences
- Kernel panic messages referencing CR4, FRED, or exception handling failures
- Anomalous processor state changes in SEV-ES, SEV-SNP, or TDX guest environments
- Suspicious modifications to processor online status in /sys/devices/system/cpu/
Detection Strategies
- Monitor kernel logs for CR4 pinning-related messages or FRED initialization failures
- Implement runtime integrity checking for processor control register states
- Deploy endpoint detection solutions capable of monitoring low-level CPU state changes
- Track boot sequence anomalies and unexpected processor exception events
Monitoring Recommendations
- Enable detailed kernel logging for x86/cpu subsystem events
- Configure alerts for unexpected triple faults or boot failures in virtualized environments
- Monitor SEV-ES, SEV-SNP, and TDX guest stability metrics
- Implement system integrity verification for critical boot sequences
How to Mitigate CVE-2026-31561
Immediate Actions Required
- Update the Linux kernel to the latest patched version containing the security fix
- Review and audit systems using FRED on x86 architecture for potential exposure
- Prioritize patching for systems running as SEV-ES, SEV-SNP, or TDX guests
- Monitor system stability during boot sequences until patches are applied
Patch Information
The vulnerability has been resolved through multiple kernel commits that remove X86_CR4_FRED from the CR4 pinned bits mask. This fix ensures that FRED functionality can be safely disabled through CR4 modification, with idt_invalidate() providing a fail-secure mechanism on subsequent exceptions.
Official patches are available through the following kernel commits:
- Kernel Git Commit 00d956d
- Kernel Git Commit 411df12
- Kernel Git Commit a6e1411
- Kernel Git Commit d7853d9
Workarounds
- Disable FRED functionality via kernel boot parameters if patching is not immediately feasible
- Limit local access to systems running vulnerable kernel versions
- Implement additional access controls for processor configuration interfaces
- Consider disabling processor hotplug capabilities on critical systems until patched
# Check current kernel version for vulnerability assessment
uname -r
# Verify if FRED is enabled (check for FRED-related CPU flags)
grep -i fred /proc/cpuinfo
# Monitor for CR4-related kernel messages
dmesg | grep -i cr4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
