Skip to main content

Linux Kernel CVE-2026-45944

| EUVDEUVD-2026-32228 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xp3w-6f4f-gvg7
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 30, 2026 - 11:30 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Clear Present bit before tearing down context entry

When tearing down a context entry, the current implementation zeros the entire 128-bit entry using multiple 64-bit writes. This creates a window where the hardware can fetch a "torn" entry - where some fields are already zeroed while the 'Present' bit is still set - leading to unpredictable behavior or spurious faults.

While x86 provides strong write ordering, the compiler may reorder writes to the two 64-bit halves of the context entry. Even without compiler reordering, the hardware fetch is not guaranteed to be atomic with respect to multiple CPU writes.

Align with the "Guidance to Software for Invalidations" in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake:

  1. Clear only the 'Present' (P) bit of the context entry first to

signal the transition of ownership from hardware to software.

  1. Use dma_wmb() to ensure the cleared bit is visible to the IOMMU.
  2. Perform the required cache and context-cache invalidation to ensure

hardware no longer has cached references to the entry.

  1. Fully zero out the entry only after the invalidation is complete.

Also, add a dma_wmb() to context_set_present() to ensure the entry is fully initialized before the 'Present' bit becomes visible.

AnalysisAI

Race condition in the Intel VT-d IOMMU driver of the Linux kernel allows a window where hardware can fetch a 'torn' context entry while the Present bit is still set, leading to unpredictable IOMMU behavior or spurious DMA faults on affected systems. The flaw stems from non-atomic teardown of 128-bit context entries via multiple 64-bit writes and is addressed by aligning with the VT-d specification's ownership handshake (Section 6.5.3.3); no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Technical ContextAI

The vulnerability resides in the Intel Virtualization Technology for Directed I/O (VT-d) driver (drivers/iommu/intel/) which manages DMA remapping for Intel IOMMU hardware. Context entries are 128-bit data structures used by the IOMMU to translate DMA requests from PCI devices; the Present (P) bit signals to hardware that the entry is valid for translation. The bug arises because teardown zeroed the entire entry using two 64-bit writes without first clearing the Present bit, creating a torn-read window where the IOMMU could fetch a half-zeroed but still-Present entry. Although x86 provides strong memory ordering for stores from a single CPU, the compiler can reorder the two halves and the hardware's fetch is not atomic relative to multiple CPU writes, violating the VT-d specification's prescribed ownership handshake between software and hardware. No CWE was assigned, but the root cause class is a concurrent/non-atomic update of shared hardware-visible state (akin to CWE-362 race condition).

RemediationAI

Upstream fix available via the stable kernel commits a922dbafb4a674d958d702038232d09a30daf770, c1e4f1dccbe9d7656d1c6872ebeadb5992d0aaa2, and d2138abc8f0a7fce4101b7229b43b06811ed083d; vendor-released patched kernels are Linux 6.18.14, 6.19.4, and 7.0, so administrators should upgrade to one of these (or the distribution-backported equivalent) at the next maintenance window. Given the High attack complexity and High privileges required, emergency patching is generally not warranted; prioritize systems where untrusted code runs with kernel-adjacent privileges or where IOMMU-protected device assignment (VFIO/PCI passthrough to guests) is in use. As a compensating control where patching must be deferred, consider disabling Intel VT-d at boot (intel_iommu=off) on hosts that do not require DMA remapping - this eliminates the affected codepath but removes DMA isolation protections and breaks PCI passthrough and DMA-attack hardening, so it is unsuitable for virtualization hosts or systems exposed to malicious peripherals. Tightening privileged-user access (so PR:H prerequisites cannot easily be met) is a low-cost partial mitigation. Vendor advisory references: the three git.kernel.org commit URLs above and https://nvd.nist.gov/vuln/detail/CVE-2026-45944.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy