2460712 – (CVE-2026-31468) CVE-2026-31468 kernel: vfio/pci: Fix double free in dma-buf feature

Bug 2460712 (CVE-2026-31468) - CVE-2026-31468 kernel: vfio/pci: Fix double free in dma-buf feature

Summary: CVE-2026-31468 kernel: vfio/pci: Fix double free in dma-buf feature

Keywords:
Status:	NEW
Alias:	CVE-2026-31468
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 15:06 UTC by OSIDB Bzimport
Modified:	2026-04-24 16:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:06:56 UTC

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Fix double free in dma-buf feature

The error path through vfio_pci_core_feature_dma_buf() ignores its
own advice to only use dma_buf_put() after dma_buf_export(), instead
falling through the entire unwind chain.  In the unlikely event that
we encounter file descriptor exhaustion, this can result in an
unbalanced refcount on the vfio device and double free of allocated
objects.

Avoid this by moving the "put" directly into the error path and return
the errno rather than entering the unwind chain.

Comment 1 Keith Grant 2026-04-22 18:06:09 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042253-CVE-2026-31468-13b8@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.