Description
In the Linux kernel, the following vulnerability has been resolved:

arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults

contpte_ptep_set_access_flags() compared the gathered ptep_get() value
against the requested entry to detect no-ops. ptep_get() ORs AF/dirty
from all sub-PTEs in the CONT block, so a dirty sibling can make the
target appear already-dirty. When the gathered value matches entry, the
function returns 0 even though the target sub-PTE still has PTE_RDONLY
set in hardware.

For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may
set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered
across the CONT range. But page-table walkers that evaluate each
descriptor individually (e.g. a CPU without DBM support, or an SMMU
without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the
unchanged target sub-PTE, causing an infinite fault loop.

Gathering can therefore cause false no-ops when only a sibling has been
updated:
- write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
- read faults: target still lacks PTE_AF

Fix by checking each sub-PTE against the requested AF/dirty/write state
(the same bits consumed by __ptep_set_access_flags()), using raw
per-PTE values rather than the gathered ptep_get() view, before
returning no-op. Keep using the raw target PTE for the write-bit unfold
decision.

Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT
range may become the effective cached translation and software must
maintain consistent attributes across the range.
Published: 2026-05-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the ARM64 Linux kernel, the routine that sets page‑table access flags incorrectly treats a no‑op when the cumulative view of a contiguous block matches the desired state. Because the kernel aggregates flags from all sub‑page table entries, an update to a sibling entry can make the target entry appear up‑to‑date, even though hardware still marks it as read‑only or missing the access‑flag bit. This misinterpretation causes the page‑table walker to fault repeatedly on the stale entry, trapping the processor in an endless fault loop. The result is a denial of service that occurs when a fault is triggered on an unchanged entry; it is unclear from the description whether elevated privileges are required or whether ordinary memory accesses, which inevitably lead to faults, will always trigger the issue—this is inferred.

Affected Systems

All ARM64 Linux kernels that lack the patch and employ system memory‑management units (SMMUs) without hardware translation‑table‑walk unit support, or CPUs missing the DBM or HTTU features. The problem also applies to systems where the SMMU has HTTU disabled or the TCR is configured with HA/HD disabled. No specific kernel versions are listed in the advisory, so any kernel built before the commit series that implements the per‑sub‑PTE check is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and EPSS is 0.00018 (less than 0.02%), so the quantified exploitation probability is extremely low. The vulnerability is not in CISA’s KEV catalog, indicating no public exploitation evidence yet. Nevertheless, an attacker could trigger the fault loop by forcing a fault on a vulnerable entry, which can occur during ordinary operations. The likelihood of exploitation depends on the presence of the fragile configuration; if an attacker can cause a fault on such an entry, the device can be brought to a halted state.

Generated by OpenCVE AI on May 14, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that implements a per‑sub‑PTE check before declaring a no‑op; the relevant commits are linked in the official references.
  • Upgrade the kernel to a version that includes this patch (e.g., Linux kernel newer than the commit series referenced).
  • After applying the patch, reboot the system to flush TLB entries and verify that the firmware or BIOS supports HTTU or DBM; if these features are missing, consider disabling the SMMU or updating the firmware to eliminate the fault loop condition.

Generated by OpenCVE AI on May 14, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-715
CWE-730

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-715
CWE-730

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults contpte_ptep_set_access_flags() compared the gathered ptep_get() value against the requested entry to detect no-ops. ptep_get() ORs AF/dirty from all sub-PTEs in the CONT block, so a dirty sibling can make the target appear already-dirty. When the gathered value matches entry, the function returns 0 even though the target sub-PTE still has PTE_RDONLY set in hardware. For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered across the CONT range. But page-table walkers that evaluate each descriptor individually (e.g. a CPU without DBM support, or an SMMU without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the unchanged target sub-PTE, causing an infinite fault loop. Gathering can therefore cause false no-ops when only a sibling has been updated: - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared) - read faults: target still lacks PTE_AF Fix by checking each sub-PTE against the requested AF/dirty/write state (the same bits consumed by __ptep_set_access_flags()), using raw per-PTE values rather than the gathered ptep_get() view, before returning no-op. Keep using the raw target PTE for the write-bit unfold decision. Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT range may become the effective cached translation and software must maintain consistent attributes across the range.
Title arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-13T15:08:32.085Z

Reserved: 2026-05-01T14:12:56.012Z

Link: CVE-2026-43486

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-13T16:16:51.880

Modified: 2026-05-13T16:16:51.880

Link: CVE-2026-43486

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T00:00:00Z

Links: CVE-2026-43486 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:00:15Z

Weaknesses