CVE-2026-45945
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel VT-d IOMMU PASID Entry Replacement

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix race condition during PASID entry replacement The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing an active PASID entry (e.g., during domain replacement), the current implementation calculates a new entry on the stack and copies it to the table using a single structure assignment. struct pasid_entry *pte, new_pte; pte = intel_pasid_get_entry(dev, pasid); pasid_pte_config_first_level(iommu, &new_pte, ...); *pte = new_pte; Because the hardware may fetch the 512-bit PASID entry in multiple 128-bit chunks, updating the entire entry while it is active (Present bit set) risks a "torn" read. In this scenario, the IOMMU hardware could observe an inconsistent state β€” partially new data and partially old data β€” leading to unpredictable behavior or spurious faults. Fix this by removing the unsafe "replace" helpers and following the "clear-then-update" flow, which ensures the Present bit is cleared and the required invalidation handshake is completed before the new configuration is applied.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45945
EUVD
EUVD-2026-32229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.19.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of Intel VT-d PASID table entries. The PASID entry is 512 bits and when replacing an active entry, the current method copies a new entry directly over the old one in a single operation.

Because the hardware reads the 512-bit entry in multiple 128-bit chunks, updating the entire entry while it is active can cause a "torn" read, where the hardware sees a mix of old and new data. This inconsistent state can lead to unpredictable behavior or spurious faults.

The fix involves changing the update process to first clear the Present bit and complete an invalidation handshake before applying the new configuration, preventing the torn read condition.

Impact Analysis

This vulnerability can cause the IOMMU hardware to observe inconsistent PASID entry data during updates, potentially leading to unpredictable behavior or spurious faults in the system.

Such faults could affect system stability, cause device communication errors, or lead to unexpected crashes or malfunctions when using Intel VT-d virtualization features.

Mitigation Strategies

The vulnerability is fixed by changing the way the PASID entry is updated in the Intel VT-d IOMMU driver in the Linux kernel. The fix involves removing unsafe 'replace' helpers and instead following a 'clear-then-update' flow, which clears the Present bit and completes the required invalidation handshake before applying the new configuration.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix. This will ensure that the race condition during PASID entry replacement is resolved and prevent inconsistent PASID table states that could cause unpredictable behavior or faults.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart