Cyber Resilience

CVE-2026-31436

Critical

Published: 22 April 2026

Published
22 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 36.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31436 is a critical-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31436 is a vulnerability in the Linux kernel's dmaengine idxd driver, specifically within the llist_abort_desc() function. The issue arises because the function uses 'd' as the traversal cursor for the flist but incorrectly completes the 'found' descriptor at the end of the final list_for_each_entry_safe() loop. This bug can result in NULL pointer dereferences, double completions, or descriptor leaks, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers require no privileges or user interaction to exploit this over a network, potentially achieving high impacts on confidentiality, integrity, and availability. The flaw's effects, such as kernel crashes from NULL dereferences or resource leaks from incomplete descriptors, could enable denial-of-service or more severe compromise depending on the attacker's control over DMA operations in affected idxd configurations.

Mitigation is provided through upstream patches in Linux kernel stable trees, as detailed in the referenced commits: https://git.kernel.org/stable/c/0e4f43779d550e559be13a5cdb763bad92c4cc99, https://git.kernel.org/stable/c/82656e8daf8de00935ae91b91bed43f4d6e0d644, https://git.kernel.org/stable/c/e1c9866173c5f8521f2d0768547a01508cb9ff27, and https://git.kernel.org/stable/c/e21da2ad8844585040fe4b82be1ad2fe99d40074. These fixes ensure the correct descriptor 'd' is completed instead of 'found', resolving the traversal mismatch. Security practitioners should apply the relevant stable kernel updates to vulnerable systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can…

more

lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Kernel NULL dereference/double-free bug in idxd driver enables remote exploitation for privilege escalation (T1068) or endpoint DoS via crashes/resource leaks (T1499).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31453Same product: Linux Linux Kernel
CVE-2024-57925Same product: Linux Linux Kernel
CVE-2026-23198Same product: Linux Linux Kernel
CVE-2026-31404Same product: Linux Linux Kernel
CVE-2026-31657Same product: Linux Linux Kernel
CVE-2026-31397Same product: Linux Linux Kernel
CVE-2026-23148Same product: Linux Linux Kernel
CVE-2026-31477Same product: Linux Linux Kernel
CVE-2026-31638Same product: Linux Linux Kernel
CVE-2024-57926Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.8 — 6.12.80 · 6.13 — 6.18.21 · 6.19 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of kernel flaws like the incorrect descriptor completion in idxd's llist_abort_desc(), preventing NULL dereferences, double completions, and leaks.

prevent

Ensures receipt, dissemination, and implementation of security advisories for Linux kernel CVEs such as CVE-2026-31436, facilitating prompt patching.

detect

Supports vulnerability scanning and monitoring to identify systems running vulnerable Linux kernel versions affected by the idxd driver bug.

References