CVE-2026-46009
Published May 27, 2026
Modified May 27, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to do later. This leads to an oops when .allow_link fails or when .drop_link is performed. Remove the helper. Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
References
Other References
https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3
https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d
https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a
https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3
https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d
Frequently Asked Questions
What is CVE-2026-46009? +
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to do later. This leads to an oops when .allow_link fails or
when .drop_link is performed. Remove the helper.
Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC
group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
How do I check if I'm vulnerable to CVE-2026-46009? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.