Bug 2460658 (CVE-2026-31523)

Summary: CVE-2026-31523 kernel: nvme-pci: ensure we're polling a polled queue
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Non-Volatile Memory Express (NVMe) PCI driver. A local user can trigger a race condition during a system reset by changing the polled queue count. This vulnerability allows a high-priority task to attempt to poll a queue before the system's queue maps are updated, leading to "double completions." This can result in system instability or a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-22 15:03:39 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nvme-pci: ensure we're polling a polled queue

A user can change the polled queue count at run time. There's a brief
window during a reset where a hipri task may try to poll that queue
before the block layer has updated the queue maps, which would race with
the now interrupt driven queue and may cause double completions.
Comment 1 Keith Grant 2026-04-22 20:19:17 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042212-CVE-2026-31523-1f48@gregkh/T