CVE-2026-53164
Received Received - Intake
iommu/dma Zero-Length Mapping Bug in Linux Kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/dma: Do not try to iommu_map a 0 length region in swiotlb iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three parts, the head, middle and trailer. If the middle is empty because there are no aligned pages it will call down to iommu_map() with a 0 size which the iommupt implementation will fail as illegal. It then tries to do an error unwind and starts from the wrong spot corrupting the mapping so the eventual destruction triggers a WARN_ON. Check for 0 length and avoid mapping and use offset not 0 as the starting point to unlink. This is frequently triggered by using some kinds of thunderbolt NVMe drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to pass in oddly aligned buffers for the passthrough commands from smartctl that hit this condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53164
EUVD
EUVD-2026-39255
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's iommu/dma subsystem, specifically in the function iommu_dma_iova_link_swiotlb(). The function processes memory mappings in three parts: head, middle, and trailer. When the middle part is empty due to no aligned pages, the code incorrectly calls iommu_map() with a size of 0, which is illegal and causes the iommupt implementation to fail.

Following this failure, the error handling attempts to unwind the mapping starting from the wrong position, which corrupts the mapping. This corruption eventually triggers a WARN_ON during destruction.

The fix involves checking for a 0 length before mapping and avoiding such mapping calls, as well as using the correct offset instead of zero as the starting point to unlink.

This issue is often triggered by certain Thunderbolt NVMe drives that cause forced SWIOTLB usage for unaligned memory, as NVMe passes oddly aligned buffers for passthrough commands (e.g., from smartctl) that hit this condition.

Impact Analysis

This vulnerability can cause corruption in the IOMMU mapping when handling certain unaligned memory regions, particularly with some Thunderbolt NVMe drives. The corrupted mapping can lead to kernel warnings (WARN_ON) and potentially unstable behavior in the kernel's DMA subsystem.

While the description does not explicitly mention security impacts such as privilege escalation or denial of service, the corruption of memory mappings in the kernel could lead to system instability or crashes, which may affect system reliability.

Detection Guidance

This vulnerability is triggered by certain unaligned memory mappings in the Linux kernel's iommu/dma subsystem, often when using some kinds of thunderbolt NVMe drives that force SWIOTLB for unaligned memory.

Detection could involve monitoring for kernel WARN_ON messages related to iommu mapping errors, especially those triggered by NVMe passthrough commands such as those from smartctl.

You can check your system logs (e.g., using dmesg or journalctl) for WARN_ON messages related to iommu or swiotlb.

  • dmesg | grep -i 'iommu'
  • journalctl -k | grep -i 'WARN_ON'
  • smartctl commands on thunderbolt NVMe drives might trigger the issue, so monitoring smartctl output and kernel logs during such operations could help detect the vulnerability.
Mitigation Strategies

The vulnerability has been resolved by modifying the Linux kernel to avoid attempting to iommu_map a 0 length region and to correctly handle offsets when unlinking.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

Until the kernel is updated, avoid using thunderbolt NVMe drives or operations that trigger forced SWIOTLB with unaligned memory mappings, such as certain smartctl passthrough commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53164. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart