Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix race condition during PASID entry replacement

The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing
an active PASID entry (e.g., during domain replacement), the current
implementation calculates a new entry on the stack and copies it to the
table using a single structure assignment.

struct pasid_entry *pte, new_pte;

pte = intel_pasid_get_entry(dev, pasid);
pasid_pte_config_first_level(iommu, &new_pte, ...);
*pte = new_pte;

Because the hardware may fetch the 512-bit PASID entry in multiple
128-bit chunks, updating the entire entry while it is active (Present
bit set) risks a "torn" read. In this scenario, the IOMMU hardware
could observe an inconsistent state — partially new data and partially
old data — leading to unpredictable behavior or spurious faults.

Fix this by removing the unsafe "replace" helpers and following the
"clear-then-update" flow, which ensures the Present bit is cleared and
the required invalidation handshake is completed before the new
configuration is applied.
Published: 2026-05-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s VT‑d IOMMU driver, the 512‑bit Pass‑Through ID (PASID) table entry is updated via a single 512‑bit assignment. Because Intel IOMMU hardware fetches these entries in 128‑bit chunks, writing a full entry while the Present bit remains set can produce a torn read, leaving the hardware with a mix of old and new data. This concurrency race condition (CWE‑362) and the failure to clear the Present bit before updating (CWE‑366) can corrupt the hardware state, leading to spurious faults, unpredictable device behavior, or a denial of service for virtual machines and passthrough devices.

Affected Systems

Any Linux kernel build that includes the VT‑d passthrough IOMMU driver is potentially affected, including the mainline kernel and distribution kernels that have not yet incorporated the commit that removes the unsafe 512‑bit assignment. The advisory does not list specific kernel versions, so all kernel releases before the fix should be considered at risk.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is rated high impact, but the EPSS score is reported as <1 %, indicating a very low current exploitation probability. The flaw is not listed in CISA’s KEV catalog. Attackers would need local kernel or administrative privileges to trigger a domain replacement that causes the vulnerable PASID entry replacement; therefore the attack vector is inferred to be privileged. While no active exploits are known, the combination of high CVSS and the need for privileged access suggests that applying the patch remains the safest mitigation.

Generated by OpenCVE AI on June 18, 2026 at 04:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch from commit 66a7aff4 that removes the unsafe 512‑bit assignment and implements a clear‑then‑update sequence for PASID entries.
  • Reboot the host or unload and reload the IOMMU driver to load the patched kernel and allow the updated IOMMU driver state to propagate to hardware.
  • Install any distribution‑level kernel update that incorporates the 66a7aff4 fix if the source patch is not available.

Generated by OpenCVE AI on June 18, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Thu, 28 May 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix race condition during PASID entry replacement The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing an active PASID entry (e.g., during domain replacement), the current implementation calculates a new entry on the stack and copies it to the table using a single structure assignment. struct pasid_entry *pte, new_pte; pte = intel_pasid_get_entry(dev, pasid); pasid_pte_config_first_level(iommu, &new_pte, ...); *pte = new_pte; Because the hardware may fetch the 512-bit PASID entry in multiple 128-bit chunks, updating the entire entry while it is active (Present bit set) risks a "torn" read. In this scenario, the IOMMU hardware could observe an inconsistent state — partially new data and partially old data — leading to unpredictable behavior or spurious faults. Fix this by removing the unsafe "replace" helpers and following the "clear-then-update" flow, which ensures the Present bit is cleared and the required invalidation handshake is completed before the new configuration is applied.
Title iommu/vt-d: Fix race condition during PASID entry replacement
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-30T10:46:10.887Z

Reserved: 2026-05-13T15:03:33.088Z

Link: CVE-2026-45945

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:10.790

Modified: 2026-06-17T10:52:46.377

Link: CVE-2026-45945

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45945 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:15:15Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-366

    Race Condition within a Thread