Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-46290— x86/efi: Fix graceful fault handling after FPU softirq changes

AI Predicted 5.5 Difficulty: Theoretical EPSS 0.17% · P6

Possible ATT&CK Techniques 1AI

T1059 · Command and Scripting Interpreter

Affected Version Matrix 8

VendorProductVersion RangeStatus
LinuxLinuxd02198550423a0b695e7a24ec77153209ad45b09< 22b365ba1af3d8c6036b8e5112fffe80998b85a0affected
d02198550423a0b695e7a24ec77153209ad45b09< db155b86d1523e85941f61efd7d7ffb594cc9a29affected
d02198550423a0b695e7a24ec77153209ad45b09< 088f65e206087bf903743bd18417261d7a4c9644affected
6.15affected
< 6.15unaffected
6.18.30≤ 6.18.*unaffected
7.0.7≤ 7.0.*unaffected
7.1≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46290

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
x86/efi: Fix graceful fault handling after FPU softirq changes
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: x86/efi: Fix graceful fault handling after FPU softirq changes Since commit d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin() calls fpregs_lock() which uses local_bh_disable() instead of the previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count during the entire EFI runtime service call, causing in_interrupt() to return true in normal task context. The graceful page fault handler efi_crash_gracefully_on_page_fault() uses in_interrupt() to bail out for faults in real interrupt context. With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI firmware page faults unhandled. This escalates to die() which also sees in_interrupt() as true and calls panic("Fatal exception in interrupt"), resulting in a hard system freeze. On systems with buggy firmware that triggers page faults during EFI runtime calls (e.g., accessing unmapped memory in GetTime()), this causes an unrecoverable hang instead of the expected graceful EFI_ABORTED recovery. Fix by replacing in_interrupt() with !in_task(). This preserves the original intent of bailing for interrupts or NMI faults, while no longer falsely triggering from the FPU code path's local_bh_disable(). [ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a window where a softirq may be taken before fpregs_lock() is called, but after efi_rts_work.efi_rts_id has been assigned, and any page faults occurring in that window will then be misidentified as having been caused by the firmware. Instead, use !in_task(), which incorporates in_serving_softirq(). ]
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于EFI优雅故障处理中FPU软中断变化,可能导致系统崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux d02198550423a0b695e7a24ec77153209ad45b09 ~ 22b365ba1af3d8c6036b8e5112fffe80998b85a0 -
LinuxLinux 6.15 -

II. Public POCs for CVE-2026-46290

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46290

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46290 (3)

Same Patch Batch · Linux · 2026-06-08 · 41 CVEs total

CVE-2026-462899.8 CRITICALlib/scatterlist: fix length calculations in extract_kvec_to_sg
CVE-2026-462888.4 HIGHof: unittest: fix use-after-free in of_unittest_changeset()
CVE-2026-463078.3 HIGHwifi: ath5k: do not access array OOB
CVE-2026-463038.2 HIGHisofs: validate Rock Ridge CE continuation extent against volume size
CVE-2026-462747.8 HIGHio-wq: check that the predecessor is hashed in io_wq_remove_pending()
CVE-2026-463117.8 HIGHdrm/amdgpu/userq: fix access to stale wptr mapping
CVE-2026-462757.8 HIGHBluetooth: hci_uart: fix UAFs and race conditions in close and init paths
CVE-2026-462777.8 HIGHmm/zone_device: do not touch device folio after calling ->folio_free()
CVE-2026-462807.8 HIGHlib: test_hmm: evict device pages on file close to avoid use-after-free
CVE-2026-463067.5 HIGHflow_dissector: do not dissect PPPoE PFC frames
CVE-2026-463047.5 HIGHnvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
CVE-2026-462997.0 HIGHhfsplus: fix held lock freed on hfsplus_fill_super()
CVE-2026-46287net: txgbe: fix RTNL assertion warning when remove module
CVE-2026-46286leds: qcom-lpg: Check for array overflow when selecting the high resolution
CVE-2026-46279mm/alloc_tag: clear codetag for pages allocated before page_ext initialization
CVE-2026-46285mtd: docg3: fix use-after-free in docg3_release()
CVE-2026-46284mm/hugetlb: fix early boot crash on parameters without '=' separator
CVE-2026-46283tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()
CVE-2026-46282iio: frequency: admv1013: fix NULL pointer dereference on str
CVE-2026-46281vmalloc: fix buffer overflow in vrealloc_node_align()

Showing top 20 of 41 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46290

No comments yet

Leave a comment