Skip to main content

Linux Kernel EUVDEUVD-2026-32360

| CVE-2026-45894 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8pm8-q9qq-gqgp
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:26 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Clear Present bit before tearing down PASID entry

The Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64 bytes). When tearing down an entry, the current implementation zeros the entire 64-byte structure immediately using multiple 64-bit writes.

Since the IOMMU hardware may fetch these 64 bytes using multiple internal transactions (e.g., four 128-bit bursts), updating or zeroing the entire entry while it is active (P=1) risks a "torn" read. If a hardware fetch occurs simultaneously with the CPU zeroing the entry, the hardware could observe an inconsistent state, leading to unpredictable behavior or spurious faults.

Follow the "Guidance to Software for Invalidations" in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake:

  1. Clear only the 'Present' (P) bit of the PASID entry.
  2. Use a dma_wmb() to ensure the cleared bit is visible to hardware

before proceeding.

  1. Execute the required invalidation sequence (PASID cache, IOTLB, and

Device-TLB flush) to ensure the hardware has released all cached references.

  1. Only after the flushes are complete, zero out the remaining fields

of the PASID entry.

Also, add a dma_wmb() in pasid_set_present() to ensure that all other fields of the PASID entry are visible to the hardware before the Present bit is set.

AnalysisAI

Race condition in Linux kernel Intel VT-d IOMMU driver (iommu/vt-d) allows torn reads of Scalable Mode PASID table entries during teardown, producing unpredictable behavior or spurious faults on systems with Intel VT-d enabled. The flaw stems from zeroing the entire 64-byte PASID entry while the Present bit is still set, violating the VT-d spec's invalidation guidance. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable branches.

Technical ContextAI

The Intel Virtualization Technology for Directed I/O (VT-d) IOMMU uses Scalable Mode PASID (Process Address Space ID) tables to translate DMA requests from PCIe devices on a per-process basis. Each PASID table entry is 512 bits (64 bytes) and is fetched by the IOMMU hardware via multiple internal transactions (e.g., four 128-bit bursts). The buggy teardown path in drivers/iommu/intel/pasid.c zeroed the full entry in one shot without first clearing the Present (P) bit and performing the required invalidation handshake described in VT-d spec section 6.5.3.3, allowing the hardware to observe a partially-updated entry - a classic concurrent-access / TOCTOU class issue in shared CPU/IOMMU memory. The fix introduces a proper ownership protocol: clear P, dma_wmb(), flush PASID cache + IOTLB + Device-TLB, then zero remaining fields, plus a dma_wmb() in pasid_set_present() so all other fields are visible before P is asserted. CWE is unassigned but this aligns with CWE-362 (race condition) and CWE-1037-style hardware/software state inconsistency.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.75, 6.18.14, 6.19.4, or 7.0 (or any later stable release containing the four fix commits 75ed0005…, 949d7166…, 821807c1…, and a84d30e8…) as published via https://git.kernel.org/stable/c/75ed00055c059dedc47b5daaaa2f8a7a019138ff and the companion stable commits. Distribution users should track their vendor's backport (RHEL/SLES/Ubuntu/Debian kernel advisories) referenced from https://nvd.nist.gov/vuln/detail/CVE-2026-45894. As a compensating control until patched, disable Intel VT-d Scalable Mode / SVA by booting with 'intel_iommu=off' or 'intel_iommu=on,sm_off' where supported - this eliminates the vulnerable code path but also disables DMA remapping and PASID-based SVA, which will break SR-IOV isolation, confidential-compute IOMMU protection, and accelerator workloads (e.g., IDXD/DSA, GPU SVM). On multi-tenant hosts where VT-d cannot be disabled, restrict guest/process access to PASID-allocating interfaces and avoid hot teardown of SVA bindings under load until the patched kernel is deployed.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32360 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy