CVE-2026-45945 Linux CVE debrief

Who should care

Organizations running Linux systems with Intel VT-d enabled, particularly virtualization platforms using device assignment with PASID capabilities. Cloud providers and enterprises with PCI device passthrough configurations should monitor for kernel updates.

Technical summary

The Intel VT-d implementation in the Linux kernel contains a race condition when replacing active PASID (Process Address Space ID) table entries. The 512-bit PASID entry structure was being updated via direct assignment while the Present bit remained set, creating a window where the IOMMU hardware could perform partial 128-bit chunk reads of inconsistent data. This torn read scenario could produce undefined IOMMU translation behavior. The resolution removes unsafe replacement helpers and enforces a two-phase clear-then-update protocol with mandatory cache invalidation between phases, ensuring hardware-observable atomicity.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing commits 66a7aff480a8 and c3b1edea3791 when available from your Linux distribution
• For systems using Intel VT-d with PASID (Process Address Space ID) features, prioritize kernel updates on virtualization hosts and systems with device assignment
• Monitor distribution security advisories for backported stable kernel updates
• Review system logs for IOMMU fault messages that may indicate trigger conditions

Evidence notes

CVE published 2026-05-27. Kernel commit references indicate stable branch fixes. No CVSS score assigned by NVD at time of disclosure.

Official resources