Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix race condition during PASID entry replacement

The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing
an active PASID entry (e.g., during domain replacement), the current
implementation calculates a new entry on the stack and copies it to the
table using a single structure assignment.

struct pasid_entry *pte, new_pte;

pte = intel_pasid_get_entry(dev, pasid);
pasid_pte_config_first_level(iommu, &new_pte, ...);
*pte = new_pte;

Because the hardware may fetch the 512-bit PASID entry in multiple
128-bit chunks, updating the entire entry while it is active (Present
bit set) risks a "torn" read. In this scenario, the IOMMU hardware
could observe an inconsistent state — partially new data and partially
old data — leading to unpredictable behavior or spurious faults.

Fix this by removing the unsafe "replace" helpers and following the
"clear-then-update" flow, which ensures the Present bit is cleared and
the required invalidation handshake is completed before the new
configuration is applied.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a race condition that occurs when an active Intel VT‑d PASID table entry is replaced by a single 512‑bit structure assignment. Because the hardware can fetch the entry in 128‑bit chunks, writing the new entry while the present bit remains set can produce a partially updated entry in I/O memory. The IOMMU may observe this torn read, leading to unpredictable device behavior or spurious faults, which can manifest as a denial‑of‑service condition for VMs or passthrough devices.

Affected Systems

Vendor: Linux; product: Linux kernel. No specific kernel version is listed in the CNA data; the fix is applicable to any kernel that implements the identified race condition in the passthrough IOMMU code.

Risk and Exploitability

The CVSS and EPSS scores are not provided, and the vulnerability is not catalogued in CISA KEV. The issue requires that an attacker can trigger a domain replacement that includes an active PASID entry, implying at least local privilege is needed. While the lack of an EPSS score limits quantification, the risk remains non‑negligible because a misconfigured or malicious kernel may cause IOMMU faults, potentially disrupting virtual machines or compromising the isolation guarantees of I/O devices. The mitigation is binary: applying the kernel patch that replaces the unsafe assignment with a clear‑then‑update flow.

Generated by OpenCVE AI on May 27, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch contained in commit 66a7aff4… which implements the clear‑then‑update flow for PASID entries
  • Reboot the system to ensure that the updated IOMMU controller state takes effect in hardware
  • If an update cannot be applied immediately, consider disabling Intel VT‑d passthrough or avoid performing domain replacements that trigger PASID updates until the kernel is patched

Generated by OpenCVE AI on May 27, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix race condition during PASID entry replacement The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing an active PASID entry (e.g., during domain replacement), the current implementation calculates a new entry on the stack and copies it to the table using a single structure assignment. struct pasid_entry *pte, new_pte; pte = intel_pasid_get_entry(dev, pasid); pasid_pte_config_first_level(iommu, &new_pte, ...); *pte = new_pte; Because the hardware may fetch the 512-bit PASID entry in multiple 128-bit chunks, updating the entire entry while it is active (Present bit set) risks a "torn" read. In this scenario, the IOMMU hardware could observe an inconsistent state — partially new data and partially old data — leading to unpredictable behavior or spurious faults. Fix this by removing the unsafe "replace" helpers and following the "clear-then-update" flow, which ensures the Present bit is cleared and the required invalidation handshake is completed before the new configuration is applied.
Title iommu/vt-d: Fix race condition during PASID entry replacement
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:18:01.345Z

Reserved: 2026-05-13T15:03:33.088Z

Link: CVE-2026-45945

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:10.790

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:30:38Z

Weaknesses