Skip to main content

Linux Kernel EUVDEUVD-2026-27689

| CVE-2026-43130 MEDIUM
2026-05-06 Linux GHSA-m67f-9cj9-483j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 20:00 vuln.today
CVSS changed
May 08, 2026 - 17:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode

Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") relies on pci_dev_is_disconnected() to skip ATS invalidation for safely-removed devices, but it does not cover link-down caused by faults, which can still hard-lock the system.

For example, if a VM fails to connect to the PCIe device, "virsh destroy" is executed to release resources and isolate the fault, but a hard-lockup occurs while releasing the group fd.

Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput

Although pci_device_is_present() is slower than pci_dev_is_disconnected(), it still takes only ~70 µs on a ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed and width increase.

Besides, devtlb_invalidation_with_pasid() is called only in the paths below, which are far less frequent than memory map/unmap.

  1. mm-struct release
  2. {attach,release}_dev
  3. set/remove PASID
  4. dirty-tracking setup

The gain in system stability far outweighs the negligible cost of using pci_device_is_present() instead of pci_dev_is_disconnected() to decide when to skip ATS invalidation, especially under GDR high-load conditions.

AnalysisAI

Hard-lockup in Linux kernel IOMMU/VT-d subsystem when flushing device IOTLB during PCIe link-down events affects systems using scalable mode with PASID support. Local authenticated attackers can trigger denial of service by causing PCIe device disconnection followed by resource cleanup operations, such as releasing VFIO group file descriptors, which deadlock the system while attempting ATS invalidation on inaccessible devices. Patch available across multiple stable kernel series.

Technical ContextAI

The vulnerability resides in the Intel VT-d IOMMU driver's scalable mode implementation, specifically in the device IOTLB flush mechanism with PASID (Process Address Space ID) support. The issue stems from incorrect device accessibility detection during ATS (Address Translation Service) invalidation. The original commit 4fc82cd907ac attempted to skip ATS invalidation using pci_dev_is_disconnected(), which detects cleanly ejected devices but fails to identify devices that have lost PCIe link connectivity due to faults (link-down events not caused by intentional removal). When a VFIO guest VM loses PCIe device connectivity and attempts cleanup via virsh destroy, the kernel's iommu_detach_group() path calls qi_flush_dev_iotlb() to invalidate cached translations, which issues commands to an inaccessible device. This causes qi_submit_sync() to hang indefinitely, hard-locking the system. The fix replaces pci_dev_is_disconnected() with pci_device_is_present(), which performs a more thorough PCIe configuration space access test (~70 microseconds overhead, deemed negligible for infrequent operations like mm-struct release, attach/release device, PASID management, and dirty-tracking setup).

RemediationAI

Upgrade to the latest stable kernel in your series: Linux 5.10.252 or later for 5.10.x, 5.15.202 or later for 5.15.x, 6.1.165 or later for 6.1.x, 6.6.128 or later for 6.6.x, 6.9 or later for 6.9.x, 6.12.75 or later for 6.12.x, 6.18.16 or later for 6.18.x, 6.19.6 or later for 6.19.x, or 7.0 or later. Specific fix commits are available at https://git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236 and related upstream URLs. For systems unable to immediately upgrade, avoid triggering PCIe device disconnection during active VFIO guest operations; implement controlled device detach procedures that gracefully flush caches before fault conditions arise. Disable PASID support or scalable mode IOMMU if unavoidable (trade-off: loses performance optimization for device translation and I/O page fault handling). Apply kernel patches from your distribution's security advisory once available. Ref: https://nvd.nist.gov/vuln/detail/CVE-2026-43130

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy