Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Clear Present bit before tearing down PASID entry

The Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64
bytes). When tearing down an entry, the current implementation zeros the
entire 64-byte structure immediately using multiple 64-bit writes.

Since the IOMMU hardware may fetch these 64 bytes using multiple
internal transactions (e.g., four 128-bit bursts), updating or zeroing
the entire entry while it is active (P=1) risks a "torn" read. If a
hardware fetch occurs simultaneously with the CPU zeroing the entry, the
hardware could observe an inconsistent state, leading to unpredictable
behavior or spurious faults.

Follow the "Guidance to Software for Invalidations" in the VT-d spec
(Section 6.5.3.3) by implementing the recommended ownership handshake:

1. Clear only the 'Present' (P) bit of the PASID entry.
2. Use a dma_wmb() to ensure the cleared bit is visible to hardware
before proceeding.
3. Execute the required invalidation sequence (PASID cache, IOTLB, and
Device-TLB flush) to ensure the hardware has released all cached
references.
4. Only after the flushes are complete, zero out the remaining fields
of the PASID entry.

Also, add a dma_wmb() in pasid_set_present() to ensure that all other
fields of the PASID entry are visible to the hardware before the Present
bit is set.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the Linux kernel tears down an Intel VT‑d PASID table entry by zeroing the entire 64‑byte structure while the entry is still active (Present bit set). Because the IOMMU hardware may fetch the entry through multiple internal bursts, writing to the memory while it is being read can produce a torn or partially updated view. This inconsistency can trigger hardware mis‑behaviour, spurious faults, or unpredictable device operation, essentially a race‑condition problem (CWE‑362).

Affected Systems

All Linux kernel builds that include VT‑d support and have not applied the recent fix. The affected vendor is Linux itself; the vendor product is the Linux kernel. No specific version list is provided in the advisory, indicating that the issue existed in the kernel until the patch was merged.

Risk and Exploitability

No CVSS score is supplied, and the EPSS metric is unavailable; the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a low‑privilege or privileged local attacker who can trigger the vulnerable IOMMU teardown sequence, for example by manipulating devices or submitting I/O requests that cause a PASID entry to be torn down. The impact is a possible denial of service or device corruption, but no known exploit has been made publicly available, suggesting a moderate to high risk conditioned on the presence of the vulnerable code path.

Generated by OpenCVE AI on May 27, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that clears only the Present bit before zeroing the PASID entry and implements the required DMA memory barrier and invalidation sequence.
  • Ensure driver code follows the same pattern: clear the Present bit, issue dma_wmb(), perform PASID cache, IOTLB, and Device‑TLB flushes, then zero the remaining fields.
  • Audit and monitor systems for unexpected kernel panics or device faults that could indicate residual race conditions; if a patch cannot be applied, closely observe for symptoms of a torn read.

Generated by OpenCVE AI on May 27, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down PASID entry The Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64 bytes). When tearing down an entry, the current implementation zeros the entire 64-byte structure immediately using multiple 64-bit writes. Since the IOMMU hardware may fetch these 64 bytes using multiple internal transactions (e.g., four 128-bit bursts), updating or zeroing the entire entry while it is active (P=1) risks a "torn" read. If a hardware fetch occurs simultaneously with the CPU zeroing the entry, the hardware could observe an inconsistent state, leading to unpredictable behavior or spurious faults. Follow the "Guidance to Software for Invalidations" in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake: 1. Clear only the 'Present' (P) bit of the PASID entry. 2. Use a dma_wmb() to ensure the cleared bit is visible to hardware before proceeding. 3. Execute the required invalidation sequence (PASID cache, IOTLB, and Device-TLB flush) to ensure the hardware has released all cached references. 4. Only after the flushes are complete, zero out the remaining fields of the PASID entry. Also, add a dma_wmb() in pasid_set_present() to ensure that all other fields of the PASID entry are visible to the hardware before the Present bit is set.
Title iommu/vt-d: Clear Present bit before tearing down PASID entry
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:04.866Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45894

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.610

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:00:14Z

Weaknesses