PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45944 Linux CVE debrief

A race condition vulnerability exists in the Linux kernel's Intel VT-d (Virtualization Technology for Directed I/O) IOMMU driver. When tearing down context entries, the driver previously zeroed the entire 128-bit entry using multiple 64-bit writes without first clearing the Present bit. This created a window where the hardware could fetch a partially-zeroed (torn) entry while the Present bit remained set, potentially causing unpredictable IOMMU behavior or spurious faults. The vulnerability stems from compiler reordering of writes to the two 64-bit halves and non-atomic hardware fetches relative to CPU writes. The fix implements the VT-d specification's recommended ownership handshake: first clear only the Present bit, issue a write memory barrier, perform required cache invalidations, then fully zero the entry. An additional memory barrier was added to context_set_present() to ensure entries are fully initialized before the Present bit becomes visible.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with Intel VT-d enabled for device passthrough (PCIe devices to VMs, SR-IOV, DPDK with IOMMU) should prioritize this fix. Cloud providers, virtualization platforms, and HPC environments using Intel hardware with IOMMU virtualization are primary affected constituencies.

Technical summary

The vulnerability exists in drivers/iommu/intel/ directory code handling context entry teardown. The 128-bit context entries were being zeroed via two 64-bit writes without synchronization, allowing hardware to observe intermediate states. The fix implements: (1) atomic Present bit clearing, (2) dma_wmb() barrier, (3) cache/context-cache invalidation per VT-d spec 6.5.3.3, (4) full zeroing only after invalidation completes. A complementary fix adds dma_wmb() to context_set_present() ensuring initialization completes before visibility. This prevents torn reads by the IOMMU hardware during entry lifecycle transitions.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced commits once available through distribution channels
  • For systems using Intel VT-d with passthrough devices, prioritize kernel updates to prevent potential IOMMU faults or unpredictable DMA behavior
  • Monitor vendor security advisories for backported fixes to currently deployed kernel versions
  • Review system logs for spurious IOMMU faults that may indicate exposure to this race condition
  • Validate IOMMU functionality after kernel updates using standard device passthrough workloads

Evidence notes

The vulnerability description indicates this is a resolved issue in the Linux kernel's IOMMU/VT-d subsystem. The fix aligns with Intel VT-d specification Section 6.5.3.3 guidance for invalidations. Multiple stable kernel commits are referenced, indicating backports to supported branches. No CVSS score or severity has been assigned by NVD as of the modified date (2026-05-27T14:48:03Z); status remains Awaiting Analysis.

Official resources

2026-05-27