Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Clear Present bit before tearing down context entry

When tearing down a context entry, the current implementation zeros the
entire 128-bit entry using multiple 64-bit writes. This creates a window
where the hardware can fetch a "torn" entry — where some fields are
already zeroed while the 'Present' bit is still set — leading to
unpredictable behavior or spurious faults.

While x86 provides strong write ordering, the compiler may reorder writes
to the two 64-bit halves of the context entry. Even without compiler
reordering, the hardware fetch is not guaranteed to be atomic with
respect to multiple CPU writes.

Align with the "Guidance to Software for Invalidations" in the VT-d spec
(Section 6.5.3.3) by implementing the recommended ownership handshake:

1. Clear only the 'Present' (P) bit of the context entry first to
signal the transition of ownership from hardware to software.
2. Use dma_wmb() to ensure the cleared bit is visible to the IOMMU.
3. Perform the required cache and context-cache invalidation to ensure
hardware no longer has cached references to the entry.
4. Fully zero out the entry only after the invalidation is complete.

Also, add a dma_wmb() to context_set_present() to ensure the entry
is fully initialized before the 'Present' bit becomes visible.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s vt‑d implementation zeros a 128‑bit context entry by writing two 64‑bit halves without first clearing the Present bit. If the IOMMU hardware reads the entry while the clears are in progress, it may observe a partially zeroed entry with the Present bit still set, creating a dangling reference. This “torn” entry can cause unpredictable behaviour, spurious faults, or allow a DMA‑capable device to access stale or incorrect memory mappings, potentially leading to memory corruption or privilege escalation.

Affected Systems

All Linux kernel versions that include the buggy context‑teardown logic are vulnerable. Because the patch lists no explicit affected range, any kernel prior to the commit that introduces the dma_wmb() ordering and clears the Present bit first is affected. Users of x86 systems with IOMMU enabled should verify their current kernel version against the fix commit.

Risk and Exploitability

No CVSS or EPSS values are published and the issue is not listed in CISA KEV, suggesting no known active exploitation yet. Nonetheless, the flaw gives a local attacker who can control or inject a DMA device the ability to read or write arbitrary kernel memory through a torn context. The risk is therefore moderate to high in environments where untrusted devices access the IOMMU, with an attack vector that is likely device‑based and local.

Generated by OpenCVE AI on May 27, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel version that contains the vt‑d ownership handshake and dma_wmb() ordering changes to clear the Present bit first
  • Verify that the patched kernel performs the required cache and context‑cache invalidation before fully zeroing the entry
  • If an immediate kernel upgrade is not possible, consider disabling or restricting DMA access for devices that use the affected IOMMU context until a patch becomes available

Generated by OpenCVE AI on May 27, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-364

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down context entry When tearing down a context entry, the current implementation zeros the entire 128-bit entry using multiple 64-bit writes. This creates a window where the hardware can fetch a "torn" entry — where some fields are already zeroed while the 'Present' bit is still set — leading to unpredictable behavior or spurious faults. While x86 provides strong write ordering, the compiler may reorder writes to the two 64-bit halves of the context entry. Even without compiler reordering, the hardware fetch is not guaranteed to be atomic with respect to multiple CPU writes. Align with the "Guidance to Software for Invalidations" in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake: 1. Clear only the 'Present' (P) bit of the context entry first to signal the transition of ownership from hardware to software. 2. Use dma_wmb() to ensure the cleared bit is visible to the IOMMU. 3. Perform the required cache and context-cache invalidation to ensure hardware no longer has cached references to the entry. 4. Fully zero out the entry only after the invalidation is complete. Also, add a dma_wmb() to context_set_present() to ensure the entry is fully initialized before the 'Present' bit becomes visible.
Title iommu/vt-d: Clear Present bit before tearing down context entry
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:18:00.481Z

Reserved: 2026-05-13T15:03:33.087Z

Link: CVE-2026-45944

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:10.677

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:30:38Z

Weaknesses