Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/dma: Do not try to iommu_map a 0 length region in swiotlb

iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three
parts, the head, middle and trailer. If the middle is empty because there
are no aligned pages it will call down to iommu_map() with a 0 size
which the iommupt implementation will fail as illegal.

It then tries to do an error unwind and starts from the wrong spot
corrupting the mapping so the eventual destruction triggers a WARN_ON.

Check for 0 length and avoid mapping and use offset not 0 as the starting
point to unlink.

This is frequently triggered by using some kinds of thunderbolt NVMe
drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to
pass in oddly aligned buffers for the passthrough commands from smartctl
that hit this condition.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel fails to guard against zero‑length regions when mapping with SWIOTLB, causing the iommupt implementation to reject the request and triggering an error unwind that corrupts internal mapping state. This omission leads to a WARN_ON during cleanup, indicating a kernel consistency violation that could result in a system crash or unpredictable behavior. The flaw reflects improper handling of buffer copies without length checks and accessing a buffer with an incorrect length value (CWE‑805), and manifests when unaligned buffers are passed from thunderbolt NVMe devices, particularly through smartctl passthrough commands.

Affected Systems

The vulnerability affects the Linux kernel, as identified by the vendor listing of Linux:Linux. No specific kernel version range is supplied in the data, so all kernels potentially containing the unpatched routine are considered susceptible until patch information is applied.

Risk and Exploitability

Because the flaw is triggered by a specific hardware interaction that forces SWIOTLB usage with oddly aligned buffers, an attacker would need to cause such a condition on the target system. The CVSS score of 5.5 indicates moderate risk, while the EPSS score of < 1% shows a very low probability of exploitation. The issue is not listed in CISA KEV, so there is currently no evidence of active exploitation.

Generated by OpenCVE AI on June 26, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for the zero‑length region mapping error.
  • If an update is unavailable, avoid using thunderbolt NVMe drives with smartctl or similar utilities that push unaligned buffers through SWIOTLB.
  • Continuously monitor system logs for WARN_ON messages related to iommu_dma and SWIOTLB to detect potential exploitation attempts.

Generated by OpenCVE AI on June 26, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/dma: Do not try to iommu_map a 0 length region in swiotlb iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three parts, the head, middle and trailer. If the middle is empty because there are no aligned pages it will call down to iommu_map() with a 0 size which the iommupt implementation will fail as illegal. It then tries to do an error unwind and starts from the wrong spot corrupting the mapping so the eventual destruction triggers a WARN_ON. Check for 0 length and avoid mapping and use offset not 0 as the starting point to unlink. This is frequently triggered by using some kinds of thunderbolt NVMe drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to pass in oddly aligned buffers for the passthrough commands from smartctl that hit this condition.
Title iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:44.770Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53164

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53164 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T15:30:02Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value