CVE-2026-43253 - Vulnerability Details

- iommu/amd: move wait_on_sem() out of spinlock

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: move wait_on_sem() out of spinlock

With iommu.strict=1, the existing completion wait path can cause soft
lockups under stressed environment, as wait_on_sem() busy-waits under the
spinlock with interrupts disabled.

Move the completion wait in iommu_completion_wait() out of the spinlock.
wait_on_sem() only polls the hardware-updated cmd_sem and does not require
iommu->lock, so holding the lock during the busy wait unnecessarily
increases contention and extends the time with interrupts disabled.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The fault in iommu/amd causes the kernel to hold a spinlock while busy‑waiting for a semaphore, keeping interrupts disabled and the lock held for an extended period. When iommu.strict=1 is enabled, this can lead to soft lock‑ups under high load or repeated wait conditions, making the system unresponsive. The weakness is a concurrency mis‑management flaw that requires no direct code execution or privileged access to manifest.

Affected Systems

The issue resides in the Linux kernel; it affects any distribution that ships with the legacy iommu implementation that has not applied the patch referenced in the commit log. No specific version range is listed in the CVE metadata, so any kernel build containing the unpatched iommu code is potentially vulnerable.

Risk and Exploitability

The vulnerability has no publicly disclosed CVSS score; however the EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector involves generating or processing IOMMU requests that trigger the waiting path while iommu.strict=1 is set, which could be achieved by a local process or attacker with kernel‑level IOMMU manipulation capabilities. While the bug does not enable arbitrary code execution, it offers a straightforward denial‑of‑service path that can be exploited in environments with stressed hardware or repeated device reassignment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f2f65b28d802a667119147444ec2ae33eebf9a58
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 715c263119fd1b918a9fcbd8a36ea5b604a46324
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e15768e68820142077bbca402d8e902f64ade1b0
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 496269d12072ecb219826485bdbec70c92a8eef5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d2a0cac10597068567d336e85fa3cbdbe8ca62bf

Linux

affected

Version	Status	Constraints
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f2f65b28d802a667119147444ec2ae33eebf9a58)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,715c263119fd1b918a9fcbd8a36ea5b604a46324)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e15768e68820142077bbca402d8e902f64ade1b0)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,496269d12072ecb219826485bdbec70c92a8eef5)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d2a0cac10597068567d336e85fa3cbdbe8ca62bf)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a release that incorporates the commit series fixing the waiting logic
If an upgrade cannot be performed immediately, rebuild the kernel by applying the patch identified in the cited commit logs
As a temporary mitigation, disable iommu.strict by setting "iommu.strict=0" until a kernel update or patch is applied

Generated by OpenCVE AI on May 6, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/496269d12072ecb219826485bdbec70c92a8eef5
https://git.kernel.org/stable/c/715c263119fd1b918a9fcbd8a36ea5b604a46324
https://git.kernel.org/stable/c/d2a0cac10597068567d336e85fa3cbdbe8ca62bf
https://git.kernel.org/stable/c/e15768e68820142077bbca402d8e902f64ade1b0
https://git.kernel.org/stable/c/f2f65b28d802a667119147444ec2ae33eebf9a58
https://lore.kernel.org/linux-cve-announce/2026050604-CVE-2026-43253-838c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43253
https://www.cve.org/CVERecord?id=CVE-2026-43253

History

Thu, 07 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-413
References		https://lore.kernel.org/linux-cve-announce/2026050604-CVE-2026-43253-838c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43253 https://www.cve.org/CVERecord?id=CVE-2026-43253
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 06 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-669 CWE-737

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iommu/amd: move wait_on_sem() out of spinlock With iommu.strict=1, the existing completion wait path can cause soft lockups under stressed environment, as wait_on_sem() busy-waits under the spinlock with interrupts disabled. Move the completion wait in iommu_completion_wait() out of the spinlock. wait_on_sem() only polls the hardware-updated cmd_sem and does not require iommu->lock, so holding the lock during the busy wait unnecessarily increases contention and extends the time with interrupts disabled.
Title		iommu/amd: move wait_on_sem() out of spinlock
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/496269d12072ecb219826485bdbec70c92a8eef5 https://git.kernel.org/stable/c/715c263119fd1b918a9fcbd8a36ea5b604a46324 https://git.kernel.org/stable/c/d2a0cac10597068567d336e85fa3cbdbe8ca62bf https://git.kernel.org/stable/c/e15768e68820142077bbca402d8e902f64ade1b0 https://git.kernel.org/stable/c/f2f65b28d802a667119147444ec2ae33eebf9a58

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:43.160Z

Updated: 2026-05-06T11:28:43.160Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43253

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:46.033

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43253

Redhat

Severity : Low

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43253 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-06T18:30:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object