CVE-2026-43220 - Vulnerability Details

- iommu/amd: serialize sequence allocation under concurrent TLB invalidations

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: serialize sequence allocation under concurrent TLB invalidations

With concurrent TLB invalidations, completion wait randomly gets timed out
because cmd_sem_val was incremented outside the IOMMU spinlock, allowing
CMD_COMPL_WAIT commands to be queued out of sequence and breaking the
ordering assumption in wait_on_sem().
Move the cmd_sem_val increment under iommu->lock so completion sequence
allocation is serialized with command queuing.
And remove the unnecessary return.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An AMD IOMMU driver race condition in the Linux kernel serializes CMD_COMPL_WAIT command sequencing incorrectly due to incrementing cmd_sem_val outside the spinlock during concurrent TLB invalidations. This concurrently executed bug, identified as CWE-1066 and indicated in NVD-CWE-noinfo, can cause completion waits to time out unpredictably, violating wait_on_sem() ordering assumptions and potentially leading to kernel hangs or crashes.

Affected Systems

Any Linux kernel that includes the AMD IOMMU subsystem before the patch commit. The vulnerability is not tied to a specific kernel release; all versions containing the vulnerable code path are potentially impacted. The fix is available in recent kernel releases after commit 48caa7542a795c9679ec1bd1bc2592e05a7369a4.

Risk and Exploitability

The CVSS score is 5.5, EPSS score is < 1%, and it is not listed in CISA KEV. Exploitation would require triggering concurrent TLB invalidations and queuing CMD_COMPL_WAIT commands, a scenario that generally demands privileged or kernel-level code. Consequently, local or remote attackers with kernel execution capabilities could abuse the race to cause a denial of service, but the probability of exploitation remains uncertain. Given the impact of a kernel crash and lack of user‑level mitigations, the risk is considered high for affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f2f65b28d802a667119147444ec2ae33eebf9a58`	affected	< d51bf43193b1e95dc4e34e540dc76e19def2ae5a
`715c263119fd1b918a9fcbd8a36ea5b604a46324`	affected	< fca7aa0264ae99e5ff287d0ced5af0b82b121c4f
`e15768e68820142077bbca402d8e902f64ade1b0`	affected	< 5000ce7fcb31067566a1a1a2e5b5bbff93625242
`496269d12072ecb219826485bdbec70c92a8eef5`	affected	< 48caa7542a795c9679ec1bd1bc2592e05a7369a4
`d2a0cac10597068567d336e85fa3cbdbe8ca62bf`	affected	< 9e249c48412828e807afddc21527eb734dc9bd3d

Linux

unaffected

Version	Status	Constraints
`6.6.128`	affected	< 6.6.140
`6.12.75`	affected	< 6.12.88

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e15768e68820142077bbca402d8e902f64ade1b0,5000ce7fcb31067566a1a1a2e5b5bbff93625242)`	affected	code_commit	—
`[496269d12072ecb219826485bdbec70c92a8eef5,48caa7542a795c9679ec1bd1bc2592e05a7369a4)`	affected	code_commit	—
`[d2a0cac10597068567d336e85fa3cbdbe8ca62bf,9e249c48412828e807afddc21527eb734dc9bd3d)`	affected	code_commit	—
`f2f65b28d802a667119147444ec2ae33eebf9a58`	affected	code_commit	—
`715c263119fd1b918a9fcbd8a36ea5b604a46324`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Linux kernel update that includes commit 48caa7542a795c9679ec1bd1bc2592e05a7369a4 or later.
Reboot the system so the updated kernel and IOMMU driver load.
Monitor kernel logs (dmesg, /var/log/kern.log) for any IOMMU or TLB invalidation related warnings; if issues persist, consider temporarily disabling AMD IOMMU or applying a newer kernel.

Generated by OpenCVE AI on May 12, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6274-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4
https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242
https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d
https://git.kernel.org/stable/c/d51bf43193b1e95dc4e34e540dc76e19def2ae5a
https://git.kernel.org/stable/c/fca7aa0264ae99e5ff287d0ced5af0b82b121c4f
https://lore.kernel.org/linux-cve-announce/2026050652-CVE-2026-43220-cf2b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43220
https://www.cve.org/CVERecord?id=CVE-2026-43220

History

Sun, 17 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/d51bf43193b1e95dc4e34e540dc76e19def2ae5a

Thu, 14 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/fca7aa0264ae99e5ff287d0ced5af0b82b121c4f

Tue, 12 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1066
References		https://lore.kernel.org/linux-cve-announce/2026050652-CVE-2026-43220-cf2b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43220 https://www.cve.org/CVERecord?id=CVE-2026-43220

Wed, 06 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iommu/amd: serialize sequence allocation under concurrent TLB invalidations With concurrent TLB invalidations, completion wait randomly gets timed out because cmd_sem_val was incremented outside the IOMMU spinlock, allowing CMD_COMPL_WAIT commands to be queued out of sequence and breaking the ordering assumption in wait_on_sem(). Move the cmd_sem_val increment under iommu->lock so completion sequence allocation is serialized with command queuing. And remove the unnecessary return.
Title		iommu/amd: serialize sequence allocation under concurrent TLB invalidations
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4 https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242 https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:20.905Z

Updated: 2026-05-17T15:21:38.711Z

Reserved: 2026-05-01T14:12:55.994Z

Link: CVE-2026-43220

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-05-06T12:16:41.660

Modified: 2026-05-17T16:16:16.630

Link: CVE-2026-43220

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43220 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object