Description
In the Linux kernel, the following vulnerability has been resolved:

iommupt: Fix short gather if the unmap goes into a large mapping

unmap has the odd behavior that it can unmap more than requested if the
ending point lands within the middle of a large or contiguous IOPTE.

In this case the gather should flush everything unmapped which can be
larger than what was requested to be unmapped. The gather was only
flushing the range requested to be unmapped, not extending to the extra
range, resulting in a short invalidation if the caller hits this special
condition.

This was found by the new invalidation/gather test I am adding in
preparation for ARMv8. Claude deduced the root cause.

As far as I remember nothing relies on unmapping a large entry, so this is
likely not a triggerable bug.
Published: 2026-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s iommupt unmap routine can leave portions of a large IOPTE unmapped when the requested unmap range ends inside a contiguous mapping. The code flushes only the requested area, not the extra overlap, resulting in a short invalidation. This flaw does not expose obvious information leakage or direct code execution paths, but it could leave stale mappings that might cause undefined behavior if later accessed.

Affected Systems

The vulnerability affects all Linux kernels that include the iommupt unmap path; no specific product or version was listed in the CNA data.

Risk and Exploitability

The CVSS score is 8.8, with an EPSS score of 0.00018 (less than 1%). The vulnerability is not currently listed in the CISA KEV catalog, and the description states that nothing depends on large-entry unmapping, implying low likelihood of exploitation. The potential impact is limited to kernel stability and unlikely to be triggerable by user‑space applications.

Generated by OpenCVE AI on May 3, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the commit associated with the fix (e.g., the commit referenced in the provided Git links).
  • Verify that the kernel’s IOMMU drivers and related modules use only the corrected unmap behaviour in test environments, especially with large or contiguous IOPTEs.
  • Monitor system stability and IOMMU logs for unexpected behaviour; ensure that no legacy code or drivers invoke unmap on large mappings that could trigger the condition.

Generated by OpenCVE AI on May 3, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommupt: Fix short gather if the unmap goes into a large mapping unmap has the odd behavior that it can unmap more than requested if the ending point lands within the middle of a large or contiguous IOPTE. In this case the gather should flush everything unmapped which can be larger than what was requested to be unmapped. The gather was only flushing the range requested to be unmapped, not extending to the extra range, resulting in a short invalidation if the caller hits this special condition. This was found by the new invalidation/gather test I am adding in preparation for ARMv8. Claude deduced the root cause. As far as I remember nothing relies on unmapping a large entry, so this is likely not a triggerable bug.
Title iommupt: Fix short gather if the unmap goes into a large mapping
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-03T05:45:41.300Z

Reserved: 2026-03-09T15:48:24.137Z

Link: CVE-2026-31735

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:36.140

Modified: 2026-05-03T07:16:19.190

Link: CVE-2026-31735

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31735 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T08:00:10Z

Weaknesses