{"id":"CVE-2026-23198","summary":"KVM: Don't clobber irqfd routing type when deassigning irqfd","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don't clobber irqfd routing type when deassigning irqfd\n\nWhen deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's\nrouting entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86\nand arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.  Instead, to\nhandle a concurrent routing update, verify that the irqfd is still active\nbefore consuming the routing information.  As evidenced by the x86 and\narm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),\nclobbering the entry type without notifying arch code is surprising and\nerror prone.\n\nAs a bonus, checking that the irqfd is active provides a convenient\nlocation for documenting _why_ KVM must not consume the routing entry for\nan irqfd that is in the process of being deassigned: once the irqfd is\ndeleted from the list (which happens *before* the eventfd is detached), it\nwill no longer receive updates via kvm_irq_routing_update(), and so KVM\ncould deliver an event using stale routing information (relative to\nKVM_SET_GSI_ROUTING returning to userspace).\n\nAs an even better bonus, explicitly checking for the irqfd being active\nfixes a similar bug to the one the clobbering is trying to prevent: if an\nirqfd is deactivated, and then its routing is changed,\nkvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing()\n(because the irqfd isn't in the list).  And so if the irqfd is in bypass\nmode, IRQs will continue to be posted using the old routing information.\n\nAs for kvm_arch_irq_bypass_del_producer(), clobbering the routing type\nresults in KVM incorrectly keeping the IRQ in bypass mode, which is\nespecially problematic on AMD as KVM tracks IRQs that are being posted to\na vCPU in a list whose lifetime is tied to the irqfd.\n\nWithout the help of KASAN to detect use-after-free, the most common\nsympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to\nthe memory for irqfd structure being re-allocated and zeroed, resulting\nin irqfd-\u003eirq_bypass_data being NULL when read by\navic_update_iommu_vcpu_affinity():\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000018\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0\n  Oops: Oops: 0000 [#1] SMP\n  CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test\n  Tainted: G     U  W  O        6.19.0-smp--5dddc257e6b2-irqfd #31 NONE\n  Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n  RIP: 0010:amd_iommu_update_ga+0x19/0xe0\n  Call Trace:\n   \u003cTASK\u003e\n   avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd]\n   __avic_vcpu_load+0xf4/0x130 [kvm_amd]\n   kvm_arch_vcpu_load+0x89/0x210 [kvm]\n   vcpu_load+0x30/0x40 [kvm]\n   kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm]\n   kvm_vcpu_ioctl+0x571/0x6a0 [kvm]\n   __se_sys_ioctl+0x6d/0xb0\n   do_syscall_64+0x6f/0x9d0\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n  RIP: 0033:0x46893b\n    \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---\n\nIf AVIC is inhibited when the irfd is deassigned, the bug will manifest as\nlist corruption, e.g. on the next irqfd assignment.\n\n  list_add corruption. next-\u003eprev should be prev (ffff8d474d5cd588),\n                       but was 0000000000000000. (next=ffff8d8658f86530).\n  ------------[ cut here ]------------\n  kernel BUG at lib/list_debug.c:31!\n  Oops: invalid opcode: 0000 [#1] SMP\n  CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test\n  Tainted: G     U  W  O        6.19.0-smp--f19dc4d680ba-irqfd #28 NONE\n  Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n  RIP: 0010:__list_add_valid_or_report+0x97/0xc0\n  Call Trace:\n   \u003cTASK\u003e\n   avic_pi_update_irte+0x28e/0x2b0 [kvm_amd]\n   kvm_pi_update_irte+0xbf/0x190 [kvm]\n   kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm]\n   irq_bypass_register_consumer+0xcd/0x170 [irqbypa\n---truncated---","aliases":["ECHO-dcf7-301f-a7b6"],"modified":"2026-04-21T02:27:21.699888392Z","published":"2026-02-14T16:27:23.621Z","related":["SUSE-SU-2026:0962-1","SUSE-SU-2026:1078-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:20667-1","SUSE-SU-2026:20720-1","SUSE-SU-2026:20838-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23198.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2284bc168b148a17b5ca3b37b3d95c411f18a08d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4385b2f2843549bfb932e0dcf76bf4b065543a3c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6d14ba1e144e796b5fc81044f08cfba9024ca195"},{"type":"WEB","url":"https://git.kernel.org/stable/c/959a063e7f12524bc1871ad1f519787967bbcd45"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b4d37cdb77a0015f51fee083598fa227cc07aaf1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b61f9b2fcf181451d0a319889478cc53c001123e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff48c9312d042bfbe826ca675e98acc6c623211c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23198.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23198"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f70c20aaf141adb715a2d750c55154073b02a9c3"},{"fixed":"959a063e7f12524bc1871ad1f519787967bbcd45"},{"fixed":"2284bc168b148a17b5ca3b37b3d95c411f18a08d"},{"fixed":"6d14ba1e144e796b5fc81044f08cfba9024ca195"},{"fixed":"b61f9b2fcf181451d0a319889478cc53c001123e"},{"fixed":"ff48c9312d042bfbe826ca675e98acc6c623211c"},{"fixed":"4385b2f2843549bfb932e0dcf76bf4b065543a3c"},{"fixed":"b4d37cdb77a0015f51fee083598fa227cc07aaf1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23198.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.4.0"},{"fixed":"5.10.250"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.200"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.163"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.124"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.70"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23198.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}