Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local-only trigger via device interaction with low OS privilege; no confidentiality or integrity impact, only kernel availability via WARN_ON and mapping corruption.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three parts, the head, middle and trailer. If the middle is empty because there are no aligned pages it will call down to iommu_map() with a 0 size which the iommupt implementation will fail as illegal.
It then tries to do an error unwind and starts from the wrong spot corrupting the mapping so the eventual destruction triggers a WARN_ON.
Check for 0 length and avoid mapping and use offset not 0 as the starting point to unlink.
This is frequently triggered by using some kinds of thunderbolt NVMe drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to pass in oddly aligned buffers for the passthrough commands from smartctl that hit this condition.
AnalysisAI
Kernel availability impact in Linux iommu/dma SWIOTLB subsystem allows a local low-privileged user to corrupt IOMMU mappings and trigger a kernel WARN_ON via Thunderbolt NVMe passthrough commands. The iommu_dma_iova_link_swiotlb() function fails to guard against zero-length middle segments in unaligned DMA mappings, causing iommu_map() to receive an illegal zero-size argument; the subsequent error unwind then starts from the wrong offset, corrupting the IOMMU page table state and firing WARN_ON at destruction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with at least low-privilege user rights (CVSS PR:L confirmed) on a Linux system that has a Thunderbolt NVMe drive physically connected AND the kernel IOMMU DMA subsystem active with SWIOTLB enabled for that device. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects the impact profile: local, low-privilege, reproducible denial-of-service with no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker or unprivileged local user on a workstation with a Thunderbolt NVMe drive attached runs smartctl with a passthrough command (e.g., smartctl -a /dev/nvme0) that submits an oddly-aligned DMA buffer, forcing the kernel into the SWIOTLB path. The zero-length middle segment triggers the iommu_map(size=0) failure and corrupted unwind, resulting in a kernel WARN_ON that may destabilize or panic the system, denying service to all other users and processes on the host. … |
| Remediation | Update to a Linux kernel version that includes the three upstream fix commits: 6ec91df8aff77e2e8fe3179c1f3fc15b43a40ba3, ab61c990a87d084f5565ee70340543e3a5394697, and b16f8d40bac9ced838d24c9842707af9ecae92e2, available at https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39255
GHSA-rwq9-95v8-58fq