Skip to main content

Linux Kernel CVE-2026-43161

| EUVDEUVD-2026-27722 MEDIUM
2026-05-06 Linux GHSA-jph2-qvw9-vvwq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 12:03 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode

PCIe endpoints with ATS enabled and passed through to userspace (e.g., QEMU, DPDK) can hard-lock the host when their link drops, either by surprise removal or by a link fault.

Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") adds pci_dev_is_disconnected() to devtlb_invalidation_with_pasid() so ATS invalidation is skipped only when the device is being safely removed, but it applies only when Intel IOMMU scalable mode is enabled.

With scalable mode disabled or unsupported, a system hard-lock occurs when a PCIe endpoint's link drops because the Intel IOMMU waits indefinitely for an ATS invalidation that cannot complete.

Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist

Commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release") adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(), which calls qi_flush_dev_iotlb() and can also hard-lock the system when a PCIe endpoint's link drops.

Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist

Sometimes the endpoint loses connection without a link-down event (e.g., due to a link fault); killing the process (virsh destroy) then hard-locks the host.

Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput

pci_dev_is_disconnected() only covers safe-removal paths; pci_device_is_present() tests accessibility by reading vendor/device IDs and internally calls pci_dev_is_disconnected(). On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.

Since __context_flush_dev_iotlb() is only called on {attach,release}_dev paths (not hot), add pci_device_is_present() there to skip inaccessible devices and avoid the hard-lock.

AnalysisAI

Hard-lock denial of service in the Linux kernel's Intel VT-d IOMMU subsystem affects systems running PCIe passthrough configurations (QEMU, DPDK) without scalable mode enabled. When a PCIe endpoint's link drops - through surprise removal, link fault, or process termination - the kernel enters an indefinite wait inside qi_submit_sync() attempting an ATS invalidation that the disconnected device can never acknowledge. The existing partial fix (commit 4fc82cd907ac) guards this path only when Intel IOMMU scalable mode is active, leaving non-scalable-mode deployments unprotected. No public exploit identified at time of analysis and EPSS is 0.02%, but the impact is a complete host freeze with no recovery path short of power cycling.

Technical ContextAI

The vulnerability resides in the iommu/vt-d subsystem of the Linux kernel, specifically in __context_flush_dev_iotlb() and the qi_submit_sync() queue-invalidation primitive that underpins it. PCIe Address Translation Services (ATS) allows PCIe devices to cache IOVA-to-HPA translations in a device-side IOTLB. When a device is detached from an IOMMU domain, the kernel must issue an ATS Invalidation Request to flush stale entries. If the PCIe link is down, the device cannot respond, and qi_submit_sync() spins indefinitely because the completion never arrives. Three distinct kernel call paths all converge on qi_flush_dev_iotlb: the device_block_translation path (hotplug removal and VFIO group release), and the intel_pasid_teardown_sm_context path introduced by commit 81e921fd3216. Commit 4fc82cd907ac added pci_dev_is_disconnected() to the PASID-based flush path but only under scalable mode, leaving the non-scalable context flush path unguarded. The fix adds pci_device_is_present() - which reads vendor/device IDs over the PCIe bus to confirm accessibility - to __context_flush_dev_iotlb(), skipping the ATS flush entirely for inaccessible devices. CPE cpe:2.3:a:linux:linux affects kernels from the introduction of commit 37764b952e1b (Linux 5.14 era) up to the backported fixes. CWE is not formally assigned, but the root cause is an unbounded resource wait (analogous to CWE-400/CWE-835) on a hardware completion that can never arrive.

RemediationAI

The primary fix is to upgrade to a patched kernel version: Linux 7.0 (mainline fix at https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2877b85261a5ae), Linux 6.19.6 (https://git.kernel.org/stable/c/42662d19839f34735b718129ea200e3734b07e50), Linux 6.18.17 (https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8), or Linux 6.12.77 LTS (https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7298ca2a9b9646). Distribution maintainers for Red Hat and SUSE should be monitored for backported patches. As a compensating control where patching is not immediately possible, enabling Intel IOMMU scalable mode (intel_iommu=sm_on kernel parameter) activates the existing guard from commit 4fc82cd907ac, though scalable mode may not be supported on all hardware and can have performance implications for PASID-based address translation. An alternative is to avoid PCIe passthrough of devices on links known to be flaky, or to configure PCIe hotplug surprise-removal handling to fence the device before the kernel teardown path is invoked. Disabling ATS on the endpoint (if the device driver and firmware permit it) would also prevent the condition, but this eliminates the translation caching benefit and may degrade I/O performance significantly for DPDK workloads.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy