In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present...

CVE-2026-45944 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Clear Present bit before tearing down context entry

When tearing down a context entry, the current implementation zeros the
entire 128-bit entry using multiple 64-bit writes. This creates a window
where the hardware can fetch a "torn" entry — where some fields are
already zeroed while the 'Present' bit is still set — leading to
unpredictable behavior or spurious faults.

While x86 provides strong write ordering, the compiler may reorder writes
to the two 64-bit halves of the context entry. Even without compiler
reordering, the hardware fetch is not guaranteed to be atomic with
respect to multiple CPU writes.

Align with the "Guidance to Software for Invalidations" in the VT-d spec
(Section 6.5.3.3) by implementing the recommended ownership handshake:

  1. Clear only the 'Present' (P) bit of the context entry first to
    signal the transition of ownership from hardware to software.
  2. Use dma_wmb() to ensure the cleared bit is visible to the IOMMU.
  3. Perform the required cache and context-cache invalidation to ensure
    hardware no longer has cached references to the entry.
  4. Fully zero out the entry only after the invalidation is complete.

Also, add a dma_wmb() to context_set_present() to ensure the entry
is fully initialized before the 'Present' bit becomes visible.

Basic information

Type
unreviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2026-05-27 15:33:17 UTC
Updated
2026-05-30 12:31:27 UTC
NVD published
2026-05-27

EPSS Score

Score Percentile
0.01% 1.42%

CVSS Scores

Base score Version Severity Vector
7.5 3.1
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type Value
GHSA GHSA-xp3w-6f4f-gvg7 ↗
CVE CVE-2026-45944 ↗

References

cvelogic Threat Intelligence