Impact
The vulnerability resides in the Linux kernel’s __rlookup_amd_iommu() routine, where an index into the rlookup_table array is performed without verifying that the device’s BDF does not exceed the last BDF described by the system’s IVRS. When a PCI device has a BDF outside that range, the kernel reads past the end of the allocated table, retrieves adjacent slab objects, and dereferences them as if they were valid amd_iommu structures. This out‑of‑bounds read leads to a general protection fault during device initialization, causing the system to crash at boot time—a clear denial of service. The weakness is a bounds‑check failure (CWE-193).
Affected Systems
All Linux kernel 6.18.x versions that use the vulnerable rlookup_table allocator before the 6.18.22 update, including mainstream distributions that ship the kernel with AMD IOMMU support was observed on Google Compute Engine ct6e VMs running kernel 6.18.22 with a gVNIC device whose. Systems running earlier 6.18 releases or similar configurations are potentially affected until the fix is applied.
Risk and Exploitability
It appears that the flaw is local, inferred from the fact that it is triggered during kernel initialization when enumerating PCI devices. The CVSS score is 5.5, indicating moderate severity, and the EPSS score is < 1%, suggesting a low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The boot‑time crash can render the system inoperable until the offending device is removed or the kernel is upgraded, so the risk remains moderate in environments where untrusted PCI devices can be introduced before the kernel fully initializes.
OpenCVE Enrichment