{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43161","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.990Z","datePublished":"2026-05-06T11:27:39.881Z","dateUpdated":"2026-05-11T22:18:56.583Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:18:56.583Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode\n\nPCIe endpoints with ATS enabled and passed through to userspace\n(e.g., QEMU, DPDK) can hard-lock the host when their link drops,\neither by surprise removal or by a link fault.\n\nCommit 4fc82cd907ac (\"iommu/vt-d: Don't issue ATS Invalidation\nrequest when device is disconnected\") adds pci_dev_is_disconnected()\nto devtlb_invalidation_with_pasid() so ATS invalidation is skipped\nonly when the device is being safely removed, but it applies only\nwhen Intel IOMMU scalable mode is enabled.\n\nWith scalable mode disabled or unsupported, a system hard-lock\noccurs when a PCIe endpoint's link drops because the Intel IOMMU\nwaits indefinitely for an ATS invalidation that cannot complete.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nCommit 81e921fd3216 (\"iommu/vt-d: Fix NULL domain on device release\")\nadds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),\nwhich calls qi_flush_dev_iotlb() and can also hard-lock the system\nwhen a PCIe endpoint's link drops.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n intel_context_flush_no_pasid\n device_pasid_table_teardown\n pci_pasid_table_teardown\n pci_for_each_dma_alias\n intel_pasid_teardown_sm_context\n intel_iommu_release_device\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nSometimes the endpoint loses connection without a link-down event\n(e.g., due to a link fault); killing the process (virsh destroy)\nthen hard-locks the host.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n __iommu_attach_device\n __iommu_device_set_domain\n __iommu_group_set_domain_internal\n iommu_detach_group\n vfio_iommu_type1_detach_group\n vfio_group_detach_container\n vfio_group_fops_release\n __fput\n\npci_dev_is_disconnected() only covers safe-removal paths;\npci_device_is_present() tests accessibility by reading\nvendor/device IDs and internally calls pci_dev_is_disconnected().\nOn a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.\n\nSince __context_flush_dev_iotlb() is only called on\n{attach,release}_dev paths (not hot), add pci_device_is_present()\nthere to skip inaccessible devices and avoid the hard-lock."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/iommu/intel/pasid.c"],"versions":[{"version":"37764b952e1b39053defc7ebe5dcd8c4e3e78de9","lessThan":"48b3f08e68b29a79527869cdde7298ca2a9b9646","status":"affected","versionType":"git"},{"version":"37764b952e1b39053defc7ebe5dcd8c4e3e78de9","lessThan":"e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8","status":"affected","versionType":"git"},{"version":"37764b952e1b39053defc7ebe5dcd8c4e3e78de9","lessThan":"bc0490ad9edf5c6f98e39fbbee2877b85261a5ae","status":"affected","versionType":"git"},{"version":"37764b952e1b39053defc7ebe5dcd8c4e3e78de9","lessThan":"42662d19839f34735b718129ea200e3734b07e50","status":"affected","versionType":"git"},{"version":"99301a53a1378f8863ac7850b9589f997bb0e125","status":"affected","versionType":"git"},{"version":"948ec6d003280d49aca49b366aa5cb140f87434d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/iommu/intel/pasid.c"],"versions":[{"version":"5.14","status":"affected"},{"version":"0","lessThan":"5.14","status":"unaffected","versionType":"semver"},{"version":"6.12.77","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.12.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.18.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7298ca2a9b9646"},{"url":"https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8"},{"url":"https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2877b85261a5ae"},{"url":"https://git.kernel.org/stable/c/42662d19839f34735b718129ea200e3734b07e50"}],"title":"iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode","x_generator":{"engine":"bippy-1.2.0"}}}}