Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local low-priv operator drives DDT/PDT remaps (AV:L/PR:L); exploiting stale cached translations is a timing/race window so AC:H; IOMMU isolation breach crosses domains so S:C with high C/I/A.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
iommu/riscv: Add IOTINVAL after updating DDT/PDT entries
Add riscv_iommu_iodir_iotinval() to perform required TLB and context cache invalidations after updating DDT or PDT entries, as mandated by the RISC-V IOMMU specification (Section 6.3.1 and 6.3.2).
AnalysisAI
Privilege/isolation bypass in the Linux kernel RISC-V IOMMU driver allows a local low-privileged actor to leverage stale address translations because the driver failed to issue mandatory TLB and context-cache invalidations (IOTINVAL) after updating Device Directory Table (DDT) or Page Directory Table (PDT) entries. Affecting RISC-V platforms running kernels prior to the stable fixes (6.18.33, 7.0.10, 7.1), the gap can let a device or its controlling principal access memory outside its intended IOMMU domain, breaking DMA isolation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a RISC-V platform with the kernel RISC-V IOMMU driver active and a workflow that updates DDT or PDT entries - i.e., device attach/detach, domain reattachment, or PASID/PDT context changes such as those exercised by VFIO/PCIe-passthrough. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a RISC-V host using IOMMU-based device passthrough, a local low-privileged operator (or a guest controlling an assigned device) triggers a sequence of device attach/detach or address-space remap operations, then relies on the IOMMU continuing to honor stale cached DDT/PDT translations to issue DMA against memory that should no longer be reachable. The result is reading residual or cross-domain memory (information disclosure) or corrupting it, breaking IOMMU isolation. … |
| Remediation | Apply the vendor-released stable kernel fixes: upgrade to Linux 6.18.33, 7.0.10, or 7.1 (or backport the three upstream fix commits 3f917d9b, d99d1c13, and f5c262b5 from https://git.kernel.org/stable/c/ ) which add riscv_iommu_iodir_iotinval() to invalidate caches after DDT/PDT updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all RISC-V systems running Linux and document current kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38925
GHSA-fjm2-575q-p7vq