Skip to main content

Linux Kernel EUVDEUVD-2026-26548

| CVE-2026-31735 HIGH
2026-05-01 Linux
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:28 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:02 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26548
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommupt: Fix short gather if the unmap goes into a large mapping

unmap has the odd behavior that it can unmap more than requested if the ending point lands within the middle of a large or contiguous IOPTE.

In this case the gather should flush everything unmapped which can be larger than what was requested to be unmapped. The gather was only flushing the range requested to be unmapped, not extending to the extra range, resulting in a short invalidation if the caller hits this special condition.

This was found by the new invalidation/gather test I am adding in preparation for ARMv8. Claude deduced the root cause.

As far as I remember nothing relies on unmapping a large entry, so this is likely not a triggerable bug.

AnalysisAI

Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.

Technical ContextAI

The Linux kernel IOMMU (Input-Output Memory Management Unit) subsystem manages device access to physical memory through page tables similar to CPU MMUs. The iommupt implementation contains a gather/invalidation logic flaw when unmap operations terminate within large or contiguous I/O Page Table Entries (IOPTEs). Per IOMMU specifications, unmapping into the middle of a large mapping extends the unmapped region to encompass the entire large entry. The gather structure-which tracks ranges requiring TLB invalidation-was only recording the originally requested unmap range rather than the actual unmapped region. This causes incomplete TLB/IOTLB flushes, leaving stale mappings accessible to devices. The vulnerability was discovered through new ARMv8 invalidation/gather testing added to kernel validation suites. CPE data indicates broad exposure across Linux kernel builds containing the affected IOMMU code paths introduced in commit 7c53f4238aa8 and fixed in commits 50ecd96a28f7 (stable) and ee6e69d03255 (mainline).

RemediationAI

Upgrade to Linux kernel version 7.0 or later for mainline users, or version 6.19.12 or later for stable branch deployments. Patches integrated in commits ee6e69d032550687a3422504bfca3f834c7b5061 (mainline) and 50ecd96a28f712f8b682c0441f4cb9b086d28816 (stable) correct the gather invalidation range calculation to include extended unmapped regions when operations land mid-large-entry. Refer to https://git.kernel.org/stable/c/50ecd96a28f712f8b682c0441f4cb9b086d28816 for stable branch patch details. No vendor-documented workarounds exist, though systems not utilizing IOMMU features (device passthrough, SR-IOV, or VFIO) are not exposed. As interim mitigation, disable IOMMU strict mode via iommu.strict=0 boot parameter to force lazy invalidation-this may mask stale entry windows but introduces different security trade-offs by deferring all invalidations. For virtualization environments requiring IOMMU isolation, prioritize patching hosts performing SR-IOV or GPU passthrough where stale DMA mappings could cross VM boundaries. Side effect: iommu.strict=0 reduces DMA security guarantees and may violate compliance requirements for isolation-dependent workloads.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26548 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy