PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45894 Linux CVE debrief

A race condition vulnerability in the Linux kernel's Intel VT-d (Virtualization Technology for Directed I/O) driver could allow IOMMU hardware to observe inconsistent PASID (Process Address Space ID) table entry states during teardown operations. The flaw occurs because the current implementation zeros the entire 64-byte PASID entry while the Present bit remains set, creating a window where hardware fetching the entry via multiple internal transactions could read a partially-updated (torn) state. This violates Intel's VT-d specification guidance for safe invalidation sequences and could lead to unpredictable IOMMU behavior or spurious faults. The vulnerability affects systems using Intel VT-d Scalable Mode with PASID support, commonly found in virtualization and device assignment scenarios. The fix implements a proper ownership handshake: first clearing only the Present bit with a memory barrier, executing required cache invalidations, then zeroing remaining fields only after hardware has released all cached references.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux-based virtualization infrastructure with Intel VT-d enabled, particularly those using PCI device passthrough with Scalable Mode PASID. Cloud providers, enterprise virtualization platforms, and HPC environments utilizing Intel hardware-assisted I/O virtualization are primary stakeholders.

Technical summary

The Intel VT-d driver in the Linux kernel contains a race condition in PASID table entry teardown. The 512-bit (64-byte) PASID entry structure was being zeroed via multiple 64-bit writes while the Present (P) bit remained active. Since IOMMU hardware may fetch this entry using multiple internal transactions (e.g., four 128-bit bursts), concurrent hardware access during CPU zeroing creates a torn read hazard where hardware observes an inconsistent entry state. The resolution implements Intel VT-d specification Section 6.5.3.3 guidance: (1) clear only the Present bit, (2) issue dma_wmb() barrier, (3) execute PASID cache/IOTLB/Device-TLB invalidation sequence, (4) zero remaining fields only after flushes complete. A complementary dma_wmb() was added to pasid_set_present() to ensure field visibility before Present bit activation.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the fix for CVE-2026-45894, specifically commits addressing iommu/vt-d PASID entry teardown
  • Prioritize patching systems utilizing Intel VT-d with Scalable Mode and PASID-enabled device assignment
  • Monitor for kernel stable updates backporting commits 75ed00055c059dedc47b5daaaa2f8a7a019138ff, 821807c167b7b48a41b95b6607c6b9f97600f7d9, 949d71666e9dd19f21e7b4b53a88cd2c5b902858, or a84d30e8d2bacd21782a6481158b7c9c552f4
  • Review systems running virtualization workloads with PCI device passthrough for potential IOMMU-related instability
  • Validate IOMMU configuration follows vendor guidance for Intel VT-d implementations

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27, which documents a kernel patch resolving the race condition. The fix follows Intel VT-d specification Section 6.5.3.3 guidance for invalidation sequences. Multiple stable kernel commits are referenced indicating backports to affected versions.

Official resources

2026-05-27