MEDIUM 5.5

CVE-2026-46290: Linux EFI Page Fault Handler Fix for FPU Softirq Regression

A Linux kernel bug affects how the system handles page faults during firmware calls on x86/EFI systems. Recent changes to improve cryptographic performance modified how the kernel manages floating-point unit access, inadvertently causing the page fault handler to always bail out when firmware triggers a fault. On systems with buggy firmware that generates page faults during runtime calls, this escalates to a system panic and hard freeze instead of gracefully recovering. The fix changes the fault detection logic to properly distinguish between real interrupt contexts and the FPU management code path.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
3 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: x86/efi: Fix graceful fault handling after FPU softirq changes Since commit d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin() calls fpregs_lock() which uses local_bh_disable() instead of the previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count during the entire EFI runtime service call, causing in_interrupt() to return true in normal task context. The graceful page fault handler efi_crash_gracefully_on_page_fault() uses in_interrupt() to bail out for faults in real interrupt context. With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI firmware page faults unhandled. This escalates to die() which also sees in_interrupt() as true and calls panic("Fatal exception in interrupt"), resulting in a hard system freeze. On systems with buggy firmware that triggers page faults during EFI runtime calls (e.g., accessing unmapped memory in GetTime()), this causes an unrecoverable hang instead of the expected graceful EFI_ABORTED recovery. Fix by replacing in_interrupt() with !in_task(). This preserves the original intent of bailing for interrupts or NMI faults, while no longer falsely triggering from the FPU code path's local_bh_disable(). [ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a window where a softirq may be taken before fpregs_lock() is called, but after efi_rts_work.efi_rts_id has been assigned, and any page faults occurring in that window will then be misidentified as having been caused by the firmware. Instead, use !in_task(), which incorporates in_serving_softirq(). ]

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from commit d02198550423, which replaced preempt_disable() with local_bh_disable() in kernel_fpu_begin() to improve FPU usability in softirq contexts. This change sets SOFTIRQ_OFFSET in preempt_count, causing in_interrupt() to evaluate true even in normal task context. The graceful fault handler efi_crash_gracefully_on_page_fault() relies on in_interrupt() to determine whether to attempt recovery from EFI firmware page faults. With SOFTIRQ_OFFSET now present, the handler incorrectly bails out for all faults occurring during EFI runtime service calls, leaving firmware-induced page faults unhandled. The kernel's die() function then observes in_interrupt() as true and invokes panic(), resulting in an unrecoverable system freeze. The fix replaces in_interrupt() with !in_task(), which incorporates in_serving_softirq() and correctly identifies only genuine interrupt and NMI contexts while allowing graceful EFI fault recovery during the FPU code path.

Business impact

On production systems running Linux on x86/EFI platforms with firmware implementations that trigger page faults during GetTime() or other runtime service calls, this vulnerability causes unpredictable system hangs that cannot be recovered gracefully. This affects availability and may complicate firmware compatibility and system stability in data center and embedded environments where such firmware quirks exist. The issue manifests only on systems with specific buggy firmware, limiting but not eliminating the population at risk.

Affected systems

The vulnerability affects Linux kernel systems on x86/EFI architectures. The condition is triggered by the combination of: (1) kernel versions containing commit d02198550423 or later that modified FPU softirq handling, and (2) EFI firmware implementations that generate page faults during runtime service calls. Systems running older kernels without the FPU softirq optimization commit are not affected. Non-x86 architectures and non-EFI boot paths are unaffected.

Exploitability

This is not a privilege escalation or remote code execution vulnerability. Exploitation requires buggy firmware that generates page faults during EFI runtime calls—a hardware/firmware condition rather than a software input vector. The vulnerability is triggered passively during normal EFI operations, not through intentional attack. No user action or malicious input is required; affected systems hang automatically when firmware generates the fault. However, since it requires specific firmware bugs and kernel versions, practical exploitability is limited to systems with both conditions present.

Remediation

Apply the kernel patch that replaces in_interrupt() with !in_task() in the efi_crash_gracefully_on_page_fault() handler. This fix restores the graceful fault recovery mechanism while preserving the FPU softirq optimization. Verify the patch against your kernel version's advisory or mainline kernel repository. Systems should prioritize this patch if they run x86/EFI with firmware known to generate page faults during runtime calls.

Patch guidance

The fix is a targeted change to the EFI fault handler logic, replacing the condition check from in_interrupt() to !in_task(). This is a minimal change with low regression risk. Apply patches from your Linux distribution's stable kernel updates or backport from mainline. Test on representative hardware with the same firmware revision to confirm the graceful recovery behavior is restored. If your system does not run EFI or has not experienced unexplained panics during firmware calls, the patch still improves correctness and should be applied during regular maintenance windows.

Detection guidance

Monitor system logs for panic messages mentioning 'Fatal exception in interrupt' or kernel stack traces showing efi_crash_gracefully_on_page_fault() followed by die() and panic(). Kernel messages may also show 'EFI' in the context. Systems with this issue will experience hard hangs rather than graceful shutdowns; review boot logs and system uptime patterns for unexplained reboots or freezes correlated with EFI runtime service calls. Firmware vendors' GetTime() or similar runtime service invocations may precede the hang if firmware debug output is enabled.

Why prioritize this

Prioritize patching systems identified as running affected kernel versions on x86/EFI, especially in production environments where availability is critical. The CVSS score reflects the denial-of-service impact and local privilege requirement. While not remotely exploitable, the availability impact is severe—affected systems become unrecoverable without human intervention. Address this in your next maintenance cycle for affected platforms, and sooner for mission-critical infrastructure.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects a denial-of-service impact with local access requirements. The vulnerability requires local presence (AV:L), low complexity to trigger (AC:L), and low privilege (PR:L). It results in high availability impact (A:H) but no confidentiality or integrity loss. The score appropriately captures the severity of an unrecoverable system freeze while accounting for the limited attack surface and firmware-dependency.

Frequently asked questions

Will this vulnerability cause a system to crash immediately after applying the FPU softirq optimization?

No. The crash only occurs on systems where firmware generates page faults during EFI runtime calls—a condition specific to certain buggy firmware implementations. Most systems with the FPU optimization will never encounter this bug. You can safely run the optimized kernel; the fix is available when needed.

How do I know if my firmware triggers page faults during EFI runtime calls?

This is difficult to predict without testing. If your system has experienced unexplained hard freezes or panics during boot or firmware interaction on an affected kernel version, your firmware is likely susceptible. Consult your hardware/firmware vendor's release notes or contact their support if you suspect this issue.

Is this a remote code execution or privilege escalation?

No. This is a denial-of-service vulnerability that causes a system hang. It does not allow code execution, privilege elevation, or data theft. An attacker cannot remotely trigger it; only buggy firmware behavior triggers the condition.

Should I disable FPU softirq optimizations to avoid this bug?

No. Apply the kernel patch instead. The patch preserves the FPU optimization while fixing the fault handling logic. Disabling the optimization would forfeit performance gains unnecessarily. The fix is the correct solution.

This analysis is based on the CVE-2026-46290 public record. CVSS scores and severity ratings reflect the official CVE metrics. Patch versions, vendor advisories, and release dates must be verified against official Linux kernel and distribution vendor sources before deployment. This vulnerability requires specific firmware conditions and kernel versions; verify your environment's applicability before prioritizing. No exploit code or proof-of-concept demonstration is provided. Test all kernel patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).