HIGH
iommu/vt-d PASID Race
CVE-2026-45862
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
KernelScan AI5.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush cache for PASID table before using it When writing the address of a freshly allocated zero-initialized PASID table to a PASID directory entry, do that after the CPU cache flush for this PASID table, not before it, to avoid the time window when this PASID table may be already used by non-coherent IOMMU hardware while its contents in RAM is still some random old data, not zero-initialized.
02KernelScan AI Analysis
Risk summary
Systems with Intel VT-d IOMMU hardware that lacks page-walk coherency are vulnerable to a race condition during PASID table initialization. The IOMMU may access stale, uninitialized memory contents before the CPU cache is flushed, leading to unrecoverable faults, potential unintended DMA to host memory, and system crashes.
Vulnerability analysis
The vulnerability is a race condition in Intel VT-d IOMMU PASID table management. When allocating a new PASID table, the kernel writes the table address to the PASID directory entry before flushing the CPU cache containing the zero-initialized table contents. On non-coherent IOMMU hardware, this creates a window where the IOMMU can access the table while RAM still contains stale data instead of the expected zeros. This can cause unrecoverable faults and may allow the device to perform unintended DMA reads or writes based on stale page-table-like data. The fix reorders operations to flush the cache before making the table visible to hardware, ensuring coherency between CPU cache and main memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | cd75e77125c8 |
| 5.15 | 5.15.202 | 0616137b70e6 |
| 5.5 | 5.5 | c93f23375d8c |
| 6.1 | 6.1.165 | 36990407cdd2 |
| 6.12 | 6.12.75 | d15cda135148 |
| 6.18 | 6.18.14 | 22d169bdd284 |
| 6.19 | 6.19.4 | — |
| 6.3 | 6.3 | 5962c30a6f05 |
| 6.6 | 6.6.128 | 36244dfd3853 |
| mainline | 7.0 | — |