Description
In the Linux kernel, the following vulnerability has been resolved:

iommu: disable SVA when CONFIG_X86 is set

Patch series "Fix stale IOTLB entries for kernel address space", v7.

This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.

This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.


This patch (of 8):

In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.

The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.

Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.

Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.

Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free leading to privilege escalation
Action: Patch
AI Analysis

Impact

In the Linux kernel, a flaw in the IOMMU Shared Virtual Addressing (SVA) subsystem allows the kernel's page table entries to be cached, so that when a page is freed and later reused, the IOMMU may still hold stale entries. This stale cache can be exploited by an attacker to force the IOMMU to treat attacker‑controlled data as valid page table entries, culminating in use‑after‑free or write‑after‑free conditions that can lead to arbitrary DMA access or privilege escalation.

Affected Systems

This vulnerability affects the Linux kernel on systems that run on the x86 architecture with the IOMMU SVA feature enabled. Version information is not explicitly given, but any kernel build with CONFIG_X86 and SVA enabled is potentially affected. No specific kernel releases are listed.

Risk and Exploitability

The CVSS score of 7.8 indicates a high‑severity flaw, while the EPSS score of < 1 % shows a very low exploitation probability at the current time. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires a device that interacts with the IOMMU; an attacker would need to trigger the stale cache through device‑side activity or other privileged interaction with the kernel page tables.

Generated by OpenCVE AI on April 27, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch series "Fix stale IOTLB entries for kernel address space", v7, which disables SVA on x86 until the IOMMU can be properly notified of page‑table changes.
  • If updating the kernel immediately is not possible, configure the system to disable IOMMU SVA by setting the appropriate kernel configuration (e.g., unsetting CONFIG_SVA) or using a boot parameter to turn off SVA support.
  • Run kernel update tools or access the repository mailing lists to obtain the latest stable release that includes the fix, then install it according to your distribution’s procedures.

Generated by OpenCVE AI on April 27, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
Ubuntu USN Ubuntu USN USN-8177-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8177-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8183-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8184-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8185-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8183-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8203-1 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-8204-1 Linux kernel (Raspberry Pi Real-time) vulnerabilities
History

Mon, 27 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 26 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
References

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Tue, 13 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.
Title iommu: disable SVA when CONFIG_X86 is set
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T08:39:37.445Z

Reserved: 2026-01-13T15:30:19.649Z

Link: CVE-2025-71089

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-01-13T16:16:08.583

Modified: 2026-04-02T09:16:20.120

Link: CVE-2025-71089

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-13T00:00:00Z

Links: CVE-2025-71089 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses