CVE-2026-31436
Published: 22 April 2026
Summary
CVE-2026-31436 is a critical-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of kernel flaws like the incorrect descriptor completion in idxd's llist_abort_desc(), preventing NULL dereferences, double completions, and leaks.
Ensures receipt, dissemination, and implementation of security advisories for Linux kernel CVEs such as CVE-2026-31436, facilitating prompt patching.
Supports vulnerability scanning and monitoring to identify systems running vulnerable Linux kernel versions affected by the idxd driver bug.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel NULL dereference/double-free bug in idxd driver enables remote exploitation for privilege escalation (T1068) or endpoint DoS via crashes/resource leaks (T1499).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can…
more
lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.
Deeper analysisAI
CVE-2026-31436 is a vulnerability in the Linux kernel's dmaengine idxd driver, specifically within the llist_abort_desc() function. The issue arises because the function uses 'd' as the traversal cursor for the flist but incorrectly completes the 'found' descriptor at the end of the final list_for_each_entry_safe() loop. This bug can result in NULL pointer dereferences, double completions, or descriptor leaks, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers require no privileges or user interaction to exploit this over a network, potentially achieving high impacts on confidentiality, integrity, and availability. The flaw's effects, such as kernel crashes from NULL dereferences or resource leaks from incomplete descriptors, could enable denial-of-service or more severe compromise depending on the attacker's control over DMA operations in affected idxd configurations.
Mitigation is provided through upstream patches in Linux kernel stable trees, as detailed in the referenced commits: https://git.kernel.org/stable/c/0e4f43779d550e559be13a5cdb763bad92c4cc99, https://git.kernel.org/stable/c/82656e8daf8de00935ae91b91bed43f4d6e0d644, https://git.kernel.org/stable/c/e1c9866173c5f8521f2d0768547a01508cb9ff27, and https://git.kernel.org/stable/c/e21da2ad8844585040fe4b82be1ad2fe99d40074. These fixes ensure the correct descriptor 'd' is completed instead of 'found', resolving the traversal mismatch. Security practitioners should apply the relevant stable kernel updates to vulnerable systems.
Details
- CWE(s)