iommu: Don't reserve 0-length IOVA region
Description
A zero-length IOVA region reservation in the Linux kernel's IOMMU subsystem corrupts the IOVA rbtree, causing display IOMMU mappings to fail; fixed by skipping such reservations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A zero-length IOVA region reservation in the Linux kernel's IOMMU subsystem corrupts the IOVA rbtree, causing display IOMMU mappings to fail; fixed by skipping such reservations.
Vulnerability
The vulnerability resides in the Linux kernel's IOMMU subsystem. When the bootloader or firmware does not set up framebuffers, the iommu-addresses property contains address and size values of 0. The kernel then reserves a 0-length IOVA region, which corrupts the IOVA rbtree by inserting an entry where pfn_hi < pfn_lo. This corruption causes subsequent IOMMU mappings for display drivers to fail, as the entire valid IOVA space becomes reserved. The issue affects kernel versions prior to the inclusion of commit [1].
Exploitation
An attacker does not require any special privileges or user interaction. The vulnerability is triggered automatically during system boot if the firmware provides a zero-length IOVA region for a framebuffer. The sequence is: the system boots, the kernel parses the iommu-addresses property, reserves the zero-length region, corrupts the rbtree, and any subsequent attempt to map IOVA space for the display driver fails. This can be exploited by an attacker with control over the firmware or boot configuration to cause a denial of service for display functionality.
Impact
Successful exploitation results in a denial of service for the display subsystem. The corruption of the IOVA rbtree prevents the display driver from obtaining valid IOVA mappings, rendering the display non-functional. No privilege escalation, information disclosure, or code execution is achieved. The impact is limited to systems that rely on the display driver and have firmware that provides zero-length IOVA regions.
Mitigation
The fix is implemented in Linux kernel commit [1] (5e23e283910c9f30248732ae0770bcb0c9438abf). This commit adds a check for zero-length IOVA regions and skips the reservation, while also emitting a warning if such a region is encountered. Users should update to a kernel version that includes this commit. No workaround is available for unpatched kernels; the only mitigation is to ensure the firmware does not provide zero-length IOVA regions or to apply the kernel patch.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- osv-coords4 versionspkg:deb/ubuntu/linux-aws@6.5.0-1021.21?arch=source&distro=manticpkg:deb/ubuntu/linux-laptop@6.5.0-1017.20?arch=source&distro=manticpkg:deb/ubuntu/linux-oem-6.5pkg:deb/ubuntu/linux-oracle@6.5.0-1024.24?arch=source&distro=mantic
< 6.5.0-1021.21+ 3 more
- (no CPE)range: < 6.5.0-1021.21
- (no CPE)range: < 6.5.0-1017.20
- (no CPE)range: < 6.5.0-1022.23
- (no CPE)range: < 6.5.0-1024.24
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.