CVE-2026-31735
Awaiting Analysis Awaiting Analysis - Queue
iommupt Short Gather Fix in Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommupt: Fix short gather if the unmap goes into a large mapping unmap has the odd behavior that it can unmap more than requested if the ending point lands within the middle of a large or contiguous IOPTE. In this case the gather should flush everything unmapped which can be larger than what was requested to be unmapped. The gather was only flushing the range requested to be unmapped, not extending to the extra range, resulting in a short invalidation if the caller hits this special condition. This was found by the new invalidation/gather test I am adding in preparation for ARMv8. Claude deduced the root cause. As far as I remember nothing relies on unmapping a large entry, so this is likely not a triggerable bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31735
EUVD
EUVD-2026-26548
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's iommupt component related to how memory unmapping is handled.

Specifically, when unmapping memory ranges, the unmap operation can sometimes unmap more memory than requested if the end point falls within a large or contiguous IOPTE (Input-Output Page Table Entry).

The gather operation, which is supposed to flush all unmapped memory, was only flushing the originally requested range and not the extended range actually unmapped. This caused a short invalidation, meaning some memory that should have been invalidated was not.

However, it is noted that this is likely not a triggerable bug because nothing relies on unmapping a large entry in this way.


How can this vulnerability impact me? :

Because the vulnerability causes a short invalidation during memory unmapping, it could theoretically lead to stale or incorrect memory mappings being used.

This might result in unexpected behavior or security issues related to memory access if the condition were triggered.

However, the description indicates that this bug is likely not triggerable in practice, so the real-world impact is minimal or nonexistent.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability relates to a specific behavior in the Linux kernel's iommupt component involving unmap operations on large mappings. Detection would require checking for the presence of the vulnerable kernel version or monitoring for unusual invalidation behavior during unmap operations.

However, no specific detection commands or network/system indicators are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the short gather behavior during unmap operations on large mappings.

Immediate mitigation would involve updating the Linux kernel to a version that includes this fix.

No other specific mitigation steps or workarounds are provided.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart