Linux Kernel vfio/pci Double-Free via DMA-BUF on Error Path
CVE-2026-31468 Published on April 22, 2026
vfio/pci: Fix double free in dma-buf feature
In the Linux kernel, the following vulnerability has been resolved:
vfio/pci: Fix double free in dma-buf feature
The error path through vfio_pci_core_feature_dma_buf() ignores its
own advice to only use dma_buf_put() after dma_buf_export(), instead
falling through the entire unwind chain. In the unlikely event that
we encounter file descriptor exhaustion, this can result in an
unbalanced refcount on the vfio device and double free of allocated
objects.
Avoid this by moving the "put" directly into the error path and return
the errno rather than entering the unwind chain.
Products Associated with CVE-2026-31468
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 5d74781ebc86c5fa9e9d6934024c505412de9b52 and below 83ad334afc9a645cef1062f5346526b1e36d6516 is affected.
- Version 5d74781ebc86c5fa9e9d6934024c505412de9b52 and below e98137f0a874ab36d0946de4707aa48cb7137d1c is affected.
- Version 6.19 is affected.
- Before 6.19 is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.