HIGH Published 2026-06-26

vfio/pci DMABUF Disable Race

CVE-2026-53322

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

KernelScan AI4.9MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Clean up DMABUFs before disabling function On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled via vfio_pci_core_disable(). This ensures that all access via DMABUFs is revoked before the function's BARs become inaccessible. This fixes an issue where, if the function is disabled first, a tiny window exists in which the function's MSE is cleared and yet BARs could still be accessed via the DMABUF. The resources would also be freed and up for grabs by a different driver.

02KernelScan AI Analysis

Engine v0.3.0

Risk summary

A privileged user or compromised management daemon managing VFIO PCI passthrough devices could trigger a tiny race window during device shutdown where PCI BARs are disabled (MSE cleared) but DMABUF-based access is not yet revoked. This could allow a DMABUF importer (e.g., an RDMA driver) to access disabled or reassigned MMIO resources, potentially causing limited information disclosure, limited memory corruption, or kernel panic. Exploitation requires high privileges (CAP_SYS_ADMIN or equivalent VFIO access) and precise timing.

Affecteddrivers/vfio/pci/vfio_pci_core.c (VFIO PCI core)

Vulnerability analysis

The root cause is an incorrect ordering of cleanup operations in vfio_pci_core_close_device(). The original code called vfio_pci_core_disable() before vfio_pci_dma_buf_cleanup(), which disabled the PCI function (clearing the Memory Space Enable bit) while DMABUF attachments still held references to the BAR MMIO regions. This created a race window where DMABUF importers (such as RDMA drivers) could still attempt to access MMIO regions that had been disabled and whose underlying resources could be freed and reallocated to another driver. The fix simply swaps the call order: vfio_pci_dma_buf_cleanup() is now called first to synchronously revoke all DMABUF attachments and notify importers to unmap, before vfio_pci_core_disable() disables the function. This eliminates the window where BAR memory is inaccessible but DMABUF references remain live. The attack surface requires a process with sufficient privilege to open and manage VFIO PCI devices (typically CAP_SYS_ADMIN or membership in the vfio group), and the vulnerability is only triggerable during device close/shutdown.

03Fix Versions

Branch	Fixed in	Patch commit
7.0	7.0.10	`4f1000a30f67`
mainline	7.1	`d97708701434`