CVE-2026-46034

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

Add validation to ensure MSI is configured before accessing cdx irqs array in vfio cdx set msi trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO DEVICE SET IRQS with VFIO IRQ SET DATA BOOL or VFIO IRQ SET DATA NONE flags before ever setting up interrupts via VFIO IRQ SET DATA EVENTFD.

The vfio cdx msi enable() function allocates the cdx irqs array and sets config msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA BOOL/DATA NONE) assumed this had already been done, but there was no enforcement of this call ordering.

This matches the protection used in the PCI VFIO driver where vfio pci set msi trigger() checks irq is() before the trigger loop.