CVE-2026-31594 Overview
CVE-2026-31594 affects the Linux kernel PCI endpoint subsystem, specifically the pci-epf-vntb (virtual non-transparent bridge) driver. The function epf_ntb_epc_destroy() duplicates teardown work that the caller performs later, leading to a kernel oops. The fault triggers when .allow_link fails or when .drop_link runs through configfs, producing an invalid pointer dereference at dead000000000108. The bug is reachable by a local low-privileged user able to manipulate configfs symlinks on a system that exposes the PCI endpoint framework. Successful triggering crashes the kernel and causes a denial of service on the host.
Critical Impact
A local low-privileged user can cause a kernel oops and denial of service by triggering the duplicate teardown path in the PCI endpoint virtual NTB driver.
Affected Products
- Linux Kernel (mainline, multiple stable branches)
- Distributions shipping the pci-epf-vntb virtual NTB endpoint driver
- Systems with CONFIG_PCI_EPF_VNTB enabled and configfs-based EPC management
Discovery Timeline
- 2026-04-24 - CVE-2026-31594 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-31594
Vulnerability Analysis
The vulnerability resides in the PCI Endpoint Function (EPF) virtual Non-Transparent Bridge driver at drivers/pci/endpoint/functions/pci-epf-vntb.c. The helper epf_ntb_epc_destroy() performs cleanup steps that the caller is expected to perform later in the unbind flow. Running the same teardown twice manipulates already-freed or already-unlinked list entries, leaving stale poison pointers in kernel data structures.
When .allow_link returns an error, or when .drop_link is invoked from configfs, the duplicated path is reached. The kernel then attempts to dereference list poison values such as dead000000000108, producing an oops in pci_epc_remove_epf(). The call chain travels through pci_primary_epc_epf_link(), configfs_symlink(), vfs_symlink(), and __arm64_sys_symlinkat(), demonstrating that an unprivileged process holding write access to the configfs EPC tree can trigger the fault.
Root Cause
The defect is a resource lifetime and ownership error [CWE-noinfo]. epf_ntb_epc_destroy() duplicates teardown that the caller already owns, and the function additionally calls pci_epc_put() even though EPC device reference counting is tied to the configfs EPC group lifetime. The fix removes the helper entirely and drops the redundant pci_epc_put(), leaving the .drop_link path solely responsible for releasing the EPC reference.
Attack Vector
Exploitation requires local access with permission to create symlinks under the PCI endpoint configfs hierarchy, typically /sys/kernel/config/pci_ep/. An attacker forces a failure in .allow_link or invokes .drop_link through symlinkat() or unlink() against the EPC binding. The duplicate teardown corrupts kernel list state and causes the oops. The attack provides no confidentiality or integrity impact, but it produces a high-availability impact by panicking the kernel or destabilizing the PCI endpoint subsystem. Public exploit code is not available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
The vulnerability manifests in the PCI endpoint virtual NTB teardown flow. Refer to the upstream commits for the precise code changes that remove the duplicate cleanup helper.
Detection Methods for CVE-2026-31594
Indicators of Compromise
- Kernel oops messages referencing pci_epc_remove_epf and pci_primary_epc_epf_link in dmesg or /var/log/kern.log
- Faulting virtual address in the dead000000000xxx range indicating list poison dereference
- Unexpected symlinkat() or unlinkat() syscalls targeting /sys/kernel/config/pci_ep/ paths from non-root processes
Detection Strategies
- Monitor kernel ring buffer output for oops signatures originating in drivers/pci/endpoint/ call frames
- Audit configfs operations under pci_ep using auditd with watch rules on the EPC controller and function directories
- Correlate process execution and syscall telemetry to flag unprivileged users interacting with PCI endpoint configfs entries
Monitoring Recommendations
- Forward kernel logs and auditd events to a centralized analytics platform for crash and anomaly correlation
- Track running kernel versions across the fleet and alert on hosts still exposing the vulnerable pci-epf-vntb driver
- Baseline expected configfs activity on PCI endpoint development boards and alert on deviations from that baseline
How to Mitigate CVE-2026-31594
Immediate Actions Required
- Apply the upstream stable kernel updates that remove epf_ntb_epc_destroy() and the redundant pci_epc_put() call
- Restrict access to /sys/kernel/config/pci_ep/ to root or a dedicated administrative group only
- On systems that do not use PCI endpoint functionality, unload or blacklist the pci_epf_vntb module
Patch Information
Fixes are available in the mainline and stable Linux kernel trees. See the relevant commits: Linux Kernel Commit 0da63230, Linux Kernel Commit 478e7761, Linux Kernel Commit 73bf218d, Linux Kernel Commit a7a3cab4, Linux Kernel Commit cec9ead7, and Linux Kernel Commit e238ab12. Rebuild and reboot affected hosts after installing distribution kernel packages that incorporate these commits.
Workarounds
- Blacklist the pci_epf_vntb module on systems that do not require virtual NTB endpoint functionality
- Tighten permissions on the configfs mount and the pci_ep subtree to prevent unprivileged symlink operations
- Disable CONFIG_PCI_EPF_VNTB in custom kernel builds on platforms that have no PCI endpoint use case
# Blacklist the vulnerable module until a patched kernel is deployed
echo "blacklist pci_epf_vntb" | sudo tee /etc/modprobe.d/blacklist-pci-epf-vntb.conf
sudo modprobe -r pci_epf_vntb 2>/dev/null || true
# Restrict configfs PCI endpoint access to root
sudo chmod 700 /sys/kernel/config/pci_ep
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
