Linux Kernel Research Highlights x86 Page-Fault Interrupt Handling Bug and Faster Page-Cache Side-Channel Attacks
Linux kernel security reporting highlighted two separate Linux-focused issues: a long-standing x86 page-fault handling logic flaw and newly optimized page-cache side-channel techniques. An Intel engineer (Cedric Xing) identified that, since 2020, parts of the x86 do_page_fault() path could leave hardware interrupts enabled in situations where the kernel’s logic assumed they were disabled, due to conflating address range (user vs. kernel) with execution context; a fix was merged into Linux 6.19 with plans to backport to stable branches.
Separately, researchers from Graz University of Technology described significantly faster Linux page cache attacks, reducing cache-flush time from ~149 ms to ~0.8 µs and enabling tighter attack loops (0.6–2.3 µs). The work describes potential impacts including more precise overlay/keylogging-style attacks, inter-keystroke timing inference, container/Docker file-activity insights, and user-activity inference in applications such as Discord and Firefox; reporting noted that only CVE-2025-21691 has been remediated by the Linux kernel security team. A third item—Imagination Technologies’ GPU driver vulnerability bulletin—covers unrelated GPU DDK issues (information leak and UAF-class bugs) and does not pertain to the Linux kernel x86/page-cache topics.
Timeline
Jan 25, 2026
Linux merges unified fix for x86 page-fault interrupt-state bug into 6.19
Linux kernel engineers implemented a single unconditional interrupt-disable step before returning to the low-level page-fault handler to correct the interrupt-state asymmetry issue. The remediation was merged into the Linux 6.19 branch, with plans to backport it to older stable releases.
Jan 25, 2026
Cedric Xing identifies 5-year-old Linux x86 memory-handling flaw
Intel engineer Cedric Xing identified a long-standing Linux kernel x86 page-fault handling flaw caused by incorrect assumptions about interrupt state restoration in certain branches, including __bad_area_nosemaphore(). Kernel engineers concluded that branch-by-branch fixes were inadequate.
Jan 23, 2026
Researchers detail faster Linux page cache side-channel attacks
Researchers reported major efficiency gains in Linux page cache side-channel attacks, reducing page-cache flushing time from 149 milliseconds to 0.8 microseconds and completing attack loops in 0.6–2.3 microseconds. They also described techniques for inferring user actions, visited websites, file information in Docker contexts, and recovering sensitive data such as passwords through timing analysis.
Jan 23, 2025
Linux kernel security team remediates CVE-2025-21691
The Linux kernel security team remediated CVE-2025-21691, one of the page cache–related issues discussed by researchers. The report notes this was the only issue in that set that had been fixed at the time of publication.
Aug 1, 2020
Linux x86 page-fault flaw introduced around Linux 5.8 merge window
A flaw in Linux kernel x86 page-fault handling was introduced around the Linux 5.8 merge window in 2020, creating inconsistent interrupt-state handling across some fault paths. The bug could allow interrupts to be re-enabled when the kernel expected them to remain disabled.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Microsoft Discloses Broad Set of Linux Kernel Vulnerabilities
Microsoft published a broad batch of Security Update Guide entries for Linux kernel flaws affecting memory management, networking, virtualization, device drivers, and subsystem input validation. The listed issues include use-after-free, NULL dereference, integer underflow, refcount underflow, information disclosure, and bounds-checking failures tracked as **`CVE-2026-31496`**, **`CVE-2026-31458`**, **`CVE-2026-31689`**, **`CVE-2026-31615`**, **`CVE-2026-31664`**, **`CVE-2026-31656`**, **`CVE-2026-31611`**, **`CVE-2026-31671`**, **`CVE-2026-31612`**, and others. Affected components span `nf_conntrack_expect`, `damon`, `edac_mc`, `renesas_usb3`, `xfrm`, `drm/i915`, `ksmbd`, `stmmac`, `tipc`, `mptcp`, `NFC`, `HID`, `KVM`, `mmc`, `x86/CPU`, `PCI endpoint`, `blk-cgroup`, `media/as102`, and `altera-tse`. Several entries point to bugs that could lead to kernel crashes, memory corruption, or data leakage if triggered through malformed input, protocol handling, or device interaction. Notable examples include a slab use-after-free in `mptcp`, information leaks in `xfrm_user` and `xfrm`, validation flaws in `ksmbd`, endpoint index handling in `usb: gadget: renesas_usb3`, and multiple underflow and teardown-ordering bugs across networking and driver code. The disclosures indicate a coordinated publication of upstream Linux kernel fixes through Microsoft's advisory channel, underscoring the need for organizations running Linux workloads in Microsoft-connected environments to review affected kernel versions and apply vendor patches promptly.
Yesterday
Microsoft Discloses Linux Kernel Flaws Affecting SMB, KVM, Virtio, BPF, and Networking
Microsoft added several CVEs to its Security Update Guide for Linux kernel components, including **CVE-2026-31609** in SMB, **CVE-2026-31591** in KVM SEV/SNP handling, **CVE-2026-31469** in `virtio_net`, **CVE-2026-31525** in BPF, and **CVE-2026-31494** in the `macb` network driver. The listed issues span memory-safety and logic flaws such as a double-free in `smbd_free_send_io()` after `smbd_send_batch_flush()`, a use-after-free in `virtio_net`, and undefined behavior in the BPF interpreter for signed division and modulo involving `INT_MIN`. The disclosures also include a KVM fix that locks all vCPUs while synchronizing VMSAs during SEV-SNP launch completion, indicating impact in confidential computing and virtualization workflows, alongside a `macb` driver correction for queue statistics handling. Taken together, the entries show Microsoft tracking upstream Linux kernel vulnerabilities across file sharing, virtualization, packet processing, and network drivers, with several bugs carrying potential stability or security impact in environments running affected kernel code paths.
3 days ago
Microsoft discloses multiple Linux kernel flaws affecting filesystems, networking, and drivers
Microsoft published a batch of Security Update Guide entries for Linux kernel vulnerabilities spanning core subsystems including `ext4`, `xfs`, memory management, networking, virtualization, and device drivers. The listed issues include memory-safety and stability flaws such as a use-after-free in `ext4` tracked as **CVE-2026-31446**, an `smc` double-free in **CVE-2026-31507**, a teardown-order use-after-free in the `spi-fsl-lpspi` driver in **CVE-2026-31485**, and a Bluetooth `L2CAP` bug in **CVE-2026-31498** that could trigger an infinite loop. Additional entries cover fixes in `af_key`, `netfilter` `ctnetlink`, `nfc` `nci`, `perf`, and memory-management code paths. The disclosures also include filesystem and virtual networking fixes such as **CVE-2026-31452** in `ext4`, **CVE-2026-31454** in `xfs`, and two `openvswitch` issues, **CVE-2026-31678** and **CVE-2026-31679`, addressing tunnel device release handling and MPLS payload-length validation. Microsoft further listed **CVE-2026-31601** in `vfio/xe` and **CVE-2026-31589** in the kernel MM subsystem, indicating broad exposure across Linux environments that rely on affected kernel components. The set of advisories points to patch activity focused on preventing use-after-free, double-free, locking, validation, and resource-lifecycle errors in widely deployed kernel code.
3 days ago