CVE-2026-43130
Description
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode
Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") relies on pci_dev_is_disconnected() to skip ATS invalidation for safely-removed devices, but it does not cover link-down caused by faults, which can still hard-lock the system.
For example, if a VM fails to connect to the PCIe device, "virsh destroy" is executed to release resources and isolate the fault, but a hard-lockup occurs while releasing the group fd.
Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput
Although pci_device_is_present() is slower than pci_dev_is_disconnected(), it still takes only ~70 µs on a ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed and width increase.
Besides, devtlb_invalidation_with_pasid() is called only in the paths below, which are far less frequent than memory map/unmap.
- mm-struct release
- {attach,release}_dev
- set/remove PASID
- dirty-tracking setup
The gain in system stability far outweighs the negligible cost of using pci_device_is_present() instead of pci_dev_is_disconnected() to decide when to skip ATS invalidation, especially under GDR high-load conditions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel iommu/vt-d, incomplete ATS invalidation check for disconnected devices can cause system hard-lockup on PCIe link down.
Vulnerability
Analysis A previous attempt to skip ATS invalidation for safely-removed devices relied on pci_dev_is_disconnected(), but this check does not cover PCIe link-down events caused by faults. When a device link is down, the ATS invalidation via qi_submit_sync can cause a system hard-lockup.
Attack
Vector An attacker who can induce a PCIe link down (e.g., by triggering a fault in a virtual machine using VFIO) can cause the system to lock up when the device group is detached, as seen in the call trace during virsh destroy.
Impact
The vulnerability leads to denial of service through system hard-lockup. The fix uses pci_device_is_present() instead, which accurately detects device accessibility at a negligible performance cost (~70 µs on tested hardware), as the affected code paths are infrequent.
Mitigation
Patched in Linux kernel via commit [1]. Users should update to a kernel containing this fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/01aed2f1d7cb8fdf4c60c5bb4727608cb82b401dnvdPatch
- git.kernel.org/stable/c/0da6697e577023d8867c7beb2d16a22510e4eea9nvdPatch
- git.kernel.org/stable/c/10e60d87813989e20eac1f3eda30b3bae461e7f9nvdPatch
- git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236nvdPatch
- git.kernel.org/stable/c/9813306610d0d718c863aaa70928bf57d7570ec0nvdPatch
- git.kernel.org/stable/c/9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94nvdPatch
- git.kernel.org/stable/c/e2c78c69f8faf2885ea4ceee08c71ac738f401a0nvdPatch
- git.kernel.org/stable/c/ead67d0378e90f419e385a43af29435242d80c12nvdPatch
News mentions
0No linked articles in our index yet.