CVE-2026-43253
Analyzed Analyzed - Analysis Complete
AMD IOMMU Completion Wait Race Condition

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/amd: move wait_on_sem() out of spinlock With iommu.strict=1, the existing completion wait path can cause soft lockups under stressed environment, as wait_on_sem() busy-waits under the spinlock with interrupts disabled. Move the completion wait in iommu_completion_wait() out of the spinlock. wait_on_sem() only polls the hardware-updated cmd_sem and does not require iommu->lock, so holding the lock during the busy wait unnecessarily increases contention and extends the time with interrupts disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43253
EUVD
EUVD-2026-27816
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 4.9 (inc) to 6.6.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's iommu/amd component. Specifically, when iommu.strict=1 is set, the completion wait path uses wait_on_sem() which busy-waits while holding a spinlock with interrupts disabled. This can cause soft lockups under stressed conditions because the busy-wait extends the time interrupts are disabled and increases contention.

The fix moves the completion wait in iommu_completion_wait() out of the spinlock since wait_on_sem() only polls a hardware-updated semaphore and does not require holding the iommu lock. This reduces contention and the duration interrupts are disabled, preventing soft lockups.

Impact Analysis

This vulnerability can cause soft lockups in the Linux kernel under stressed environments when iommu.strict=1 is enabled. Soft lockups mean the system can become unresponsive or experience delays because interrupts are disabled for extended periods during the busy-wait. This can degrade system performance and stability.

Mitigation Strategies

The vulnerability in the Linux kernel related to iommu/amd has been resolved by moving wait_on_sem() out of the spinlock to prevent soft lockups under stressed environments.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix where iommu_completion_wait() no longer holds the lock during the busy wait.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart