CVE-2026-23361
Race Condition in Linux dwc_pcie_ep MSI-X Handling Causes Memory Corruption
Publication date: 2026-03-25
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 4.19 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.17 (exc) |
| linux | linux_kernel | From 4.19.1 (inc) to 6.12.77 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's PCI endpoint driver, specifically in the function dw_pcie_ep_raise_msix_irq(). This function raises an MSI-X interrupt to the host using a writel() operation, which generates a PCI posted write transaction. However, posted writes do not have a completion signal, so the writel() call may return before the PCI write actually completes.
The problem arises because dw_pcie_ep_raise_msix_irq() also unmaps the outbound Address Translation Unit (ATU) entry used for the PCI write. This creates a race condition where the PCI write may still be in progress while the ATU entry is unmapped.
If the PCI write loses this race with the ATU unmap, it can lead to corruption of host memory or cause IOMMU errors. The fix involves flushing the write by performing a readl() of the same address to ensure the write has completed before the ATU entry is unmapped.
How can this vulnerability impact me? :
This vulnerability can cause corruption of host memory or trigger IOMMU errors during PCI MSI-X interrupt handling. Such corruption or errors can lead to system instability, crashes, or unexpected behavior, especially in systems using PCI endpoint devices that rely on MSI-X interrupts.
In practical terms, this could affect workloads that involve high queue depths or intensive I/O operations, such as running fio against nvmet-pci-epf, potentially causing data integrity issues or system faults.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability may manifest as IOMMU errors or memory corruption related to PCI posted writes racing with ATU unmapping.
Specifically, you might observe kernel messages similar to:
- arm-smmu-v3 fc900000.iommu: 0x0000010000000010
- arm-smmu-v3 fc900000.iommu: 0x0000020000000000
- arm-smmu-v3 fc900000.iommu: 0x000000090000f040
- arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0
- arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0
To detect this on your system, monitor kernel logs (e.g., using dmesg or journalctl) for such IOMMU error messages when running PCI endpoint drivers or workloads like fio with high queue depths against nvmet-pci-epf.
No specific commands are provided in the available information to directly detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is mitigated by ensuring that the PCI posted write completes before unmapping its ATU entry.
Specifically, the fix involves flushing the write by performing a readl() of the same address after the writel() to guarantee the write has reached its destination before the ATU entry is unmapped.
Therefore, immediate mitigation steps include updating the Linux kernel to a version that contains this fix.
No other immediate configuration or workaround steps are provided in the available information.