CVE-2026-31561

Source
https://cve.org/CVERecord?id=CVE-2026-31561
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31561.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31561
Downstream
Published
2026-04-24T14:35:43.302Z
Modified
2026-07-15T01:49:18.380962921Z
Summary
x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/cpu: Remove X86CR4FRED from the CR4 pinned bits mask

Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine idea.

However, there's an issue when during boot FRED is initialized: first on the BSP and later on the APs. Thus, there's a window in time when exceptions cannot be handled.

This becomes particularly nasty when running as SEV-{ES,SNP} or TDX guests which, when they manage to trigger exceptions during that short window described above, triple fault due to FRED MSRs not being set up yet.

See Link tag below for a much more detailed explanation of the situation.

So, as a result, the commit in that Link URL tried to address this shortcoming by temporarily disabling CR4 pinning when an AP is not online yet.

However, that is a problem in itself because in this case, an attack on the kernel needs to only modify the online bit - a single bit in RW memory - and then disable CR4 pinning and then disable SM*P, leading to more and worse things to happen to the system.

So, instead, remove the FRED bit from the CR4 pinning mask, thus obviating the need to temporarily disable CR4 pinning.

If someone manages to disable FRED when poking at CR4, then idt_invalidate() would make sure the system would crash'n'burn on the first exception triggered, which is a much better outcome security-wise.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31561.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ff45746fbf005f96e42bea466698e3fdbf926013
Fixed
d7853d9fe94abf43b46c57b0b7f8418198b7615a
Fixed
a6e14114684d2324e5401617d6d01acb4a4e0e22
Fixed
00d956dafa76f86a73424fe5cce3d604a8be2e4b
Fixed
411df123c017169922cc767affce76282b8e6c85

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31561.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.12.80
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31561.json"