CVE-2026-45894
Awaiting Analysis Awaiting Analysis - Queue
VT-d PASID Entry Clear Race Condition in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down PASID entry The Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64 bytes). When tearing down an entry, the current implementation zeros the entire 64-byte structure immediately using multiple 64-bit writes. Since the IOMMU hardware may fetch these 64 bytes using multiple internal transactions (e.g., four 128-bit bursts), updating or zeroing the entire entry while it is active (P=1) risks a "torn" read. If a hardware fetch occurs simultaneously with the CPU zeroing the entry, the hardware could observe an inconsistent state, leading to unpredictable behavior or spurious faults. Follow the "Guidance to Software for Invalidations" in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake: 1. Clear only the 'Present' (P) bit of the PASID entry. 2. Use a dma_wmb() to ensure the cleared bit is visible to hardware before proceeding. 3. Execute the required invalidation sequence (PASID cache, IOTLB, and Device-TLB flush) to ensure the hardware has released all cached references. 4. Only after the flushes are complete, zero out the remaining fields of the PASID entry. Also, add a dma_wmb() in pasid_set_present() to ensure that all other fields of the PASID entry are visible to the hardware before the Present bit is set.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45894
EUVD
EUVD-2026-32360
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
intel linux_kernel *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of the Intel VT-d Scalable Mode PASID table entries. When tearing down a PASID entry, the kernel previously zeroed out the entire 64-byte structure at once while the entry was still marked as present (P=1). Because the IOMMU hardware may fetch this data in multiple internal transactions, this simultaneous update could cause the hardware to read an inconsistent or 'torn' state of the entry.

Such torn reads can lead to unpredictable hardware behavior or spurious faults. The fix involves first clearing only the Present bit, ensuring this change is visible to hardware, performing necessary invalidation sequences to flush cached references, and only then zeroing out the rest of the entry. This sequence prevents the hardware from seeing inconsistent data during the teardown process.

Impact Analysis

If exploited or triggered, this vulnerability can cause the IOMMU hardware to observe inconsistent or torn PASID entry data during teardown. This may result in unpredictable hardware behavior or spurious faults, potentially affecting system stability or causing device communication errors.

Mitigation Strategies

To mitigate this vulnerability in the Linux kernel related to the Intel VT-d Scalable Mode PASID table entry, the following steps should be taken:

  • Clear only the 'Present' (P) bit of the PASID entry before tearing it down.
  • Use a dma_wmb() memory barrier to ensure the cleared Present bit is visible to the hardware before proceeding.
  • Execute the required invalidation sequence, including PASID cache, IOTLB, and Device-TLB flush, to ensure the hardware has released all cached references.
  • Only after completing the flushes, zero out the remaining fields of the PASID entry.
  • Add a dma_wmb() in pasid_set_present() to ensure all other fields of the PASID entry are visible to the hardware before setting the Present bit.
Compliance Impact

The provided information does not include any details about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart