CVE-2026-43130 - Vulnerability Details

- iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode

Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation
request when device is disconnected") relies on
pci_dev_is_disconnected() to skip ATS invalidation for
safely-removed devices, but it does not cover link-down caused
by faults, which can still hard-lock the system.

For example, if a VM fails to connect to the PCIe device,
"virsh destroy" is executed to release resources and isolate
the fault, but a hard-lockup occurs while releasing the group fd.

Call Trace:
qi_submit_sync
qi_flush_dev_iotlb
intel_pasid_tear_down_entry
device_block_translation
blocking_domain_attach_dev
__iommu_attach_device
__iommu_device_set_domain
__iommu_group_set_domain_internal
iommu_detach_group
vfio_iommu_type1_detach_group
vfio_group_detach_container
vfio_group_fops_release
__fput

Although pci_device_is_present() is slower than
pci_dev_is_disconnected(), it still takes only ~70 µs on a
ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed
and width increase.

Besides, devtlb_invalidation_with_pasid() is called only in the
paths below, which are far less frequent than memory map/unmap.

1. mm-struct release
2. {attach,release}_dev
3. set/remove PASID
4. dirty-tracking setup

The gain in system stability far outweighs the negligible cost
of using pci_device_is_present() instead of pci_dev_is_disconnected()
to decide when to skip ATS invalidation, especially under GDR
high-load conditions.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the function that flushes the device IOTLB performs a check using pci_dev_is_disconnected() to skip the operation when a device reports itself disconnected. That check does not detect link‑down states caused by faults, so when a VM releases a PCIe device that has become faulted but not yet reported as disconnected, the flush attempt continues and the kernel hard‑locks. The resulting denial of service can bring the entire host to a halt, affecting all workloads.

Affected Systems

All Linux systems running a kernel version that includes this logic are affected, regardless of the distribution vendor. The advisory does not list specific kernel releases, but any kernel that contains the commit highlighted in the description (“iommu/vt‑d: Flush dev‑IOTLB only when PCIe device is accessible in scalable mode”) is at risk. The vulnerability is present in both the mainline Linux kernel and kernel variants used by major vendors.

Risk and Exploitability

The issue is not catalogued in CISA KEV and no public CVSS or EPSS score is available. Based on the description, it is inferred that an attacker who can trigger a link‑down fault on a PCIe device or force the destruction of a VM attached to such a device could exercise the vulnerability. While no exploit has been documented, the effect—a hard lockup that can stop the entire host—means the potential impact is high for environments that require continuous kernel operation. The likelihood of exploitation is uncertain, but in systems where virtual machines are actively managed, the risk is significant enough to warrant prompt mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f873b85ec762c5a6abe94a7ddb31df5d3ba07d85`	affected	< 581ce094d9eafb78ec4f9de77bd24b780c151236
`d70f1c85113cd8c2aa8373f491ca5d1b22ec0554`	affected	< e2c78c69f8faf2885ea4ceee08c71ac738f401a0
`34a7b30f56d30114bf4d436e4dc793afe326fbcf`	affected	< ead67d0378e90f419e385a43af29435242d80c12
`2b74b2a92e524d7c8dec8e02e95ecf18b667c062`	affected	< 01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d
`4fc82cd907ac075648789cc3a00877778aa1838b`	affected	< 9813306610d0d718c863aaa70928bf57d7570ec0
`4fc82cd907ac075648789cc3a00877778aa1838b`	affected	< 9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94
`4fc82cd907ac075648789cc3a00877778aa1838b`	affected	< 0da6697e577023d8867c7beb2d16a22510e4eea9
`4fc82cd907ac075648789cc3a00877778aa1838b`	affected	< 10e60d87813989e20eac1f3eda30b3bae461e7f9
`c04f2780919f20e2cc4846764221f5e802555868`	affected	—
`025bc6b41e020aeb1e71f84ae3ffce945026de05`	affected	—

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f873b85ec762c5a6abe94a7ddb31df5d3ba07d85,581ce094d9eafb78ec4f9de77bd24b780c151236)`	affected	code_commit	—
`[d70f1c85113cd8c2aa8373f491ca5d1b22ec0554,e2c78c69f8faf2885ea4ceee08c71ac738f401a0)`	affected	code_commit	—
`[34a7b30f56d30114bf4d436e4dc793afe326fbcf,ead67d0378e90f419e385a43af29435242d80c12)`	affected	code_commit	—
`[2b74b2a92e524d7c8dec8e02e95ecf18b667c062,01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d)`	affected	code_commit	—
`[4fc82cd907ac075648789cc3a00877778aa1838b,9813306610d0d718c863aaa70928bf57d7570ec0)`	affected	code_commit	—
`[4fc82cd907ac075648789cc3a00877778aa1838b,9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94)`	affected	code_commit	—
`[4fc82cd907ac075648789cc3a00877778aa1838b,0da6697e577023d8867c7beb2d16a22510e4eea9)`	affected	code_commit	—
`[4fc82cd907ac075648789cc3a00877778aa1838b,10e60d87813989e20eac1f3eda30b3bae461e7f9)`	affected	code_commit	—
`c04f2780919f20e2cc4846764221f5e802555868`	affected	code_commit	—
`025bc6b41e020aeb1e71f84ae3ffce945026de05`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	generic	—
`[0,6.9)`	unaffected	generic	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains commit 4fc82cd907ac, which replaces pci_dev_is_disconnected() with pci_device_is_present() to correctly detect device disconnection.
If a kernel upgrade cannot be applied immediately, avoid forcefully destroying virtual machines that are connected to PCIe devices; instead, verify that the device is truly removed before issuing a destroy operation.
After applying the kernel update, reboot the host to ensure the new code path is active during boot and to clear any lingering transaction state.

Generated by OpenCVE AI on May 6, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d
https://git.kernel.org/stable/c/0da6697e577023d8867c7beb2d16a22510e4eea9
https://git.kernel.org/stable/c/10e60d87813989e20eac1f3eda30b3bae461e7f9
https://git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236
https://git.kernel.org/stable/c/9813306610d0d718c863aaa70928bf57d7570ec0
https://git.kernel.org/stable/c/9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94
https://git.kernel.org/stable/c/e2c78c69f8faf2885ea4ceee08c71ac738f401a0
https://git.kernel.org/stable/c/ead67d0378e90f419e385a43af29435242d80c12

History

Wed, 06 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") relies on pci_dev_is_disconnected() to skip ATS invalidation for safely-removed devices, but it does not cover link-down caused by faults, which can still hard-lock the system. For example, if a VM fails to connect to the PCIe device, "virsh destroy" is executed to release resources and isolate the fault, but a hard-lockup occurs while releasing the group fd. Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput Although pci_device_is_present() is slower than pci_dev_is_disconnected(), it still takes only ~70 µs on a ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed and width increase. Besides, devtlb_invalidation_with_pasid() is called only in the paths below, which are far less frequent than memory map/unmap. 1. mm-struct release 2. {attach,release}_dev 3. set/remove PASID 4. dirty-tracking setup The gain in system stability far outweighs the negligible cost of using pci_device_is_present() instead of pci_dev_is_disconnected() to decide when to skip ATS invalidation, especially under GDR high-load conditions.
Title		iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d https://git.kernel.org/stable/c/0da6697e577023d8867c7beb2d16a22510e4eea9 https://git.kernel.org/stable/c/10e60d87813989e20eac1f3eda30b3bae461e7f9 https://git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236 https://git.kernel.org/stable/c/9813306610d0d718c863aaa70928bf57d7570ec0 https://git.kernel.org/stable/c/9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94 https://git.kernel.org/stable/c/e2c78c69f8faf2885ea4ceee08c71ac738f401a0 https://git.kernel.org/stable/c/ead67d0378e90f419e385a43af29435242d80c12

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:18.825Z

Updated: 2026-05-06T11:27:18.825Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43130

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:30.083

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43130

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T15:15:09Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object