HIGH Introduced in 3.7
arm64 TLBI Completion Race
CVE-2026-53354
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
01Description
In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI;DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. This issue has been assigned CVE ID CVE-2025-10263. To mitigate this issue, Arm recommends that software follows any affected TLBI;DSB sequence with an additional TLBI;DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The additional TLBI can use any operation that is broadcast to affected CPUs, and the additional DSB can use any option that is sufficient to complete the additional TLBI. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs, and update the silicon errata documentation accordingly. Note that due to the manner in which Arm develops IP and tracks errata, some CPUs share a common erratum number.
02KernelScan AI Analysis
Risk summary
Certain Arm CPU cores (Cortex-A76/A77/A78/X1/X2/X3/X4/X925, Neoverse-N1/N2/V1/V2/V3, C1-Premium/Ultra) have a hardware race condition where a broadcast TLBI;DSB sequence may complete before all memory writes translated by the invalidated TLB entry are globally observed. This broken completion guarantee means the kernel may free or reallocate a physical page while pending writes through the old mapping are still in flight, allowing those writes to complete to a new security context. The missing ARM64_WORKAROUND_REPEAT_TLBI workaround enables a local attacker—without privileges—to corrupt memory across isolation boundaries (integrity) and potentially observe stale contents from previously unmapped regions (confidentiality). The fix enables the workaround for all affected CPU models by issuing a second TLBI;DSB to ensure global observation of all affected memory writes.
Vulnerability analysis
This is a hardware race condition (CPU erratum) in the TLB invalidation completion logic of numerous Arm CPU cores. The root cause is that after a broadcast TLBI;DSB sequence, the DSB barrier may return before all memory writes that were translated by the invalidated TLB entry have been globally observed by the system. TLB entries themselves are correctly removed, but the memory-ordering guarantee is broken. The result is a use-after-free-like condition at the physical-page level: the kernel may proceed to reallocate a page before writes from the previous mapping complete, causing those writes to land in a new security context (integrity violation) and allowing a new owner to potentially observe data from the previous owner (confidentiality violation). The fix adds Kconfig option ARM64_ERRATUM_4118414, which selects ARM64_WORKAROUND_REPEAT_TLBI for the affected CPU MIDRs, forcing an additional TLBI;DSB after any affected sequence. Exploitation does not require elevated privileges; any local unprivileged process can trigger kernel TLB invalidation sequences via standard syscalls (e.g., mmap/munmap/mprotect), and the race window is determined by CPU microarchitecture timing. Because the impact crosses process and kernel security boundaries, Scope is Changed.
03Fix Versions
| Branch | Introduced | Fixed in | Patch commit |
|---|---|---|---|
| 5.10 | 3.7 | 5.10.259 | 925058203229 |
| 5.15 | 3.7 | 5.15.210 | 8364384ae82f |
| 6.1 | 3.7 | 6.1.176 | 7c3ad9365079 |
| 6.12 | 3.7 | 6.12.94 | 4e7c80742e6d |
| 6.18 | 3.7 | 6.18.36 | d4fd42822040 |
| 6.6 | 3.7 | 6.6.143 | e717a4d08779 |
| 7.0 | 3.7 | 7.0.13 | 1b47b1e1d867 |
| 7.1 | 3.7 | 7.1.1 | 1268c64e2bcb |
| mainline | 3.7 | 7.2-rc1 | cfd391e74134 |