{
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: vfio/xe: Reorganize the init to decouple migration from reset",
    "id" : "2461513",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461513"
  },
  "cwe" : "CWE-824",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvfio/xe: Reorganize the init to decouple migration from reset\nAttempting to issue reset on VF devices that don't support migration\nleads to the following:\nBUG: unable to handle page fault for address: 00000000000011f8\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S   U              7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy)\nTainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\nHardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\nRIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe]\nCode: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89\nRSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202\nRAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800\nR13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0\nFS:  00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0\nPKRU: 55555554\nCall Trace:\n<TASK>\nxe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci]\npci_dev_restore+0x3b/0x80\npci_reset_function+0x109/0x140\nreset_store+0x5c/0xb0\ndev_attr_store+0x17/0x40\nsysfs_kf_write+0x72/0x90\nkernfs_fop_write_iter+0x161/0x1f0\nvfs_write+0x261/0x440\nksys_write+0x69/0xf0\n__x64_sys_write+0x19/0x30\nx64_sys_call+0x259/0x26e0\ndo_syscall_64+0xcb/0x1500\n? __fput+0x1a2/0x2d0\n? fput_close_sync+0x3d/0xa0\n? __x64_sys_close+0x3e/0x90\n? x64_sys_call+0x1b7c/0x26e0\n? do_syscall_64+0x109/0x1500\n? __task_pid_nr_ns+0x68/0x100\n? __do_sys_getpid+0x1d/0x30\n? x64_sys_call+0x10b5/0x26e0\n? do_syscall_64+0x109/0x1500\n? putname+0x41/0x90\n? do_faccessat+0x1e8/0x300\n? __x64_sys_access+0x1c/0x30\n? x64_sys_call+0x1822/0x26e0\n? do_syscall_64+0x109/0x1500\n? tick_program_event+0x43/0xa0\n? hrtimer_interrupt+0x126/0x260\n? irqentry_exit+0xb2/0x710\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7877d5f1c5a4\nCode: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89\nRSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4\nRDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009\nRBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007\nR10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9\nR13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0\n</TASK>\nThis is caused by the fact that some of the xe_vfio_pci_core_device\nmembers needed for handling reset are only initialized as part of\nmigration init.\nFix the problem by reorganizing the code to decouple VF init from\nmigration init.", "A flaw was found in the Linux kernel's vfio/xe driver. An attacker, by attempting to reset a Virtual Function (VF) device that does not support migration, can trigger a kernel page fault. This can lead to a system crash, resulting in a Denial of Service (DoS)." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31601\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31601\nhttps://lore.kernel.org/linux-cve-announce/2026042418-CVE-2026-31601-1cb0@gregkh/T" ],
  "name" : "CVE-2026-31601",
  "csaw" : false
}