CVE-2025-40155
Description
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: debugfs: Fix legacy mode page table dump logic
In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR maybe uninitialized or zero in that case and may cause oops like:
Oops: general protection fault, probably for non-canonical address 0xf00087d3f000f000: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 RIP: 0010:pgtable_walk_level+0x98/0x150 RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206 RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000 RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000 R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98 FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace:
pgtable_walk_level+0x88/0x150 domain_translation_struct_show.isra.0+0x2d9/0x300 dev_domain_translation_struct_show+0x20/0x40 seq_read_iter+0x12d/0x490 ...
Avoid walking the page table if TT is not 00b or 01b.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's IOMMU VT-d debugfs, legacy mode page table dump can dereference an uninitialized SSPTPTR, causing a general protection fault.
Root
Cause
In the Linux kernel's IOMMU VT-d debugfs interface, when dumping the page table in legacy mode, fails to check the Translation Type (TT) field before using the Second-level Stage Page Table Pointer (SSPTPTR). According to the VT-d specification, SSPTPTR is only valid when TT is 00b or 01b; otherwise it may be uninitialized or contain stale data. The code unconditionally walks the page table using SSPTPTR, leading to a general protection fault (oops) when TT is not 00b or 01b [1].
Exploitation
The vulnerability is triggered by reading the debugfs file domain_translation_struct (or similar) for a device that uses legacy mode with an invalid TT value. No special privileges beyond local access to debugfs are required; a local user with read access to the debugfs file can cause the kernel to crash. The crash trace shows a pgtable_walk_level function dereferencing a non-canon-canonical address 0xf00087d3f000f000 [1].
Impact
An attacker with local access can trigger a kernel oops (general protection fault), resulting in a denial of service (system crash or hang). The vulnerability does not appear to allow privilege escalation or arbitrary code execution, as the fault occurs during a read operation and the invalid address is not attacker-controlled in a way that would permit controlled memory corruption [1].
Mitigation
The fix adds a check for TT before walking the page table; if TT is not 00b or 01b, the walk is skipped. The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing the commit d8cf7b59c49f or later. No workaround is available other than restricting access to debugfs (or disabling) the debugfs interface.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
3d8cf7b59c49fdf2bf759a0bdfbe6070c73baVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.