Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode

Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation
request when device is disconnected") relies on
pci_dev_is_disconnected() to skip ATS invalidation for
safely-removed devices, but it does not cover link-down caused
by faults, which can still hard-lock the system.

For example, if a VM fails to connect to the PCIe device,
"virsh destroy" is executed to release resources and isolate
the fault, but a hard-lockup occurs while releasing the group fd.

Call Trace:
qi_submit_sync
qi_flush_dev_iotlb
intel_pasid_tear_down_entry
device_block_translation
blocking_domain_attach_dev
__iommu_attach_device
__iommu_device_set_domain
__iommu_group_set_domain_internal
iommu_detach_group
vfio_iommu_type1_detach_group
vfio_group_detach_container
vfio_group_fops_release
__fput

Although pci_device_is_present() is slower than
pci_dev_is_disconnected(), it still takes only ~70 µs on a
ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed
and width increase.

Besides, devtlb_invalidation_with_pasid() is called only in the
paths below, which are far less frequent than memory map/unmap.

1. mm-struct release
2. {attach,release}_dev
3. set/remove PASID
4. dirty-tracking setup

The gain in system stability far outweighs the negligible cost
of using pci_device_is_present() instead of pci_dev_is_disconnected()
to decide when to skip ATS invalidation, especially under GDR
high-load conditions.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the function that flushes the device IOTLB performs a check using pci_dev_is_disconnected() to skip the operation when a device reports itself disconnected. That check does not detect link-down states caused by faults, so when a VM releases a PCIe device that has become faulted but not yet reported as disconnected, the flush attempt continues and the kernel hard-locks. The resulting denial of service can bring the entire host to a halt, affecting all workloads.

Affected Systems

All Linux systems running a kernel version that includes this logic are affected, regardless of the distribution vendor. The advisory does not list specific kernel releases, but any kernel that contains the commit highlighted in the description ("iommu/vt‑d: Flush dev‑IOTLB only when PCIe device is accessible in scalable mode") is at risk. The vulnerability is present in both the mainline Linux kernel and kernel variants used by major vendors.

Risk and Exploitability

The issue is not catalogued in CISA KEV and the CVSS score is 5.5, indicating moderate severity. The EPSS score is 0.00024, indicating a very low exploitation probability. Based on the description, it is inferred that an attacker who can trigger a link-down fault on a PCIe device or force the destruction of a VM attached to such a device could exercise the vulnerability. While no exploit has been documented, the effect—a hard lockup that can stop the entire host—means the potential impact is high for environments that require continuous kernel operation. The likelihood of exploitation is uncertain, but in systems where virtual machines are actively managed, the risk is significant enough to warrant prompt mitigation.

Generated by OpenCVE AI on May 8, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains commit 4fc82cd907ac, which replaces pci_dev_is_disconnected() with pci_device_is_present() to correctly detect device disconnection.
  • If a kernel upgrade cannot be applied immediately, avoid forcefully destroying virtual machines that are connected to PCIe devices; instead, verify that the device is truly removed before issuing a destroy operation.
  • After applying the kernel update, reboot the host to ensure the new code path is active during boot and to clear any lingering transaction state.

Generated by OpenCVE AI on May 8, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Fri, 08 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Thu, 07 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") relies on pci_dev_is_disconnected() to skip ATS invalidation for safely-removed devices, but it does not cover link-down caused by faults, which can still hard-lock the system. For example, if a VM fails to connect to the PCIe device, "virsh destroy" is executed to release resources and isolate the fault, but a hard-lockup occurs while releasing the group fd. Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput Although pci_device_is_present() is slower than pci_dev_is_disconnected(), it still takes only ~70 µs on a ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed and width increase. Besides, devtlb_invalidation_with_pasid() is called only in the paths below, which are far less frequent than memory map/unmap. 1. mm-struct release 2. {attach,release}_dev 3. set/remove PASID 4. dirty-tracking setup The gain in system stability far outweighs the negligible cost of using pci_device_is_present() instead of pci_dev_is_disconnected() to decide when to skip ATS invalidation, especially under GDR high-load conditions.
Title iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:22.409Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43130

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:30.083

Modified: 2026-05-08T17:44:36.210

Link: CVE-2026-43130

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43130 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:00:10Z

Weaknesses