VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 13, 2026

CVE-2026-43161

CVE-2026-43161

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode

PCIe endpoints with ATS enabled and passed through to userspace (e.g., QEMU, DPDK) can hard-lock the host when their link drops, either by surprise removal or by a link fault.

Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") adds pci_dev_is_disconnected() to devtlb_invalidation_with_pasid() so ATS invalidation is skipped only when the device is being safely removed, but it applies only when Intel IOMMU scalable mode is enabled.

With scalable mode disabled or unsupported, a system hard-lock occurs when a PCIe endpoint's link drops because the Intel IOMMU waits indefinitely for an ATS invalidation that cannot complete.

Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist

Commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release") adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(), which calls qi_flush_dev_iotlb() and can also hard-lock the system when a PCIe endpoint's link drops.

Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist

Sometimes the endpoint loses connection without a link-down event (e.g., due to a link fault); killing the process (virsh destroy) then hard-locks the host.

Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput

pci_dev_is_disconnected() only covers safe-removal paths; pci_device_is_present() tests accessibility by reading vendor/device IDs and internally calls pci_dev_is_disconnected(). On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.

Since __context_flush_dev_iotlb() is only called on {attach,release}_dev paths (not hot), add pci_device_is_present() there to skip inaccessible devices and avoid the hard-lock.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

When a PCIe endpoint with ATS loses its link, the Intel IOMMU can hard-lock the host if scalable mode is disabled, due to waiting indefinitely for an ATS invalidation.

Vulnerability

Description

CVE-2026-43161 is a denial-of-service vulnerability in the Linux kernel's Intel IOMMU (VT-d) subsystem. When a PCIe endpoint with ATS (Address Translation Services) enabled loses its link—through surprise removal or a link fault—the IOMMU can become stuck waiting for an ATS invalidation to complete if Intel's scalable mode is not active. The commit 4fc82cd907ac introduced a check for pci_dev_is_disconnected() to skip ATS invalidation during safe removal, but this protection only applies when scalable mode is enabled. Without scalable mode, the device disconnect triggers a synchronous queue invalidation (qi_submit_sync) that never returns, causing the entire host to hard-lock.

Exploitation and

Attack Surface

An attacker who can cause a physical PCIe link to drop—for instance, by hot-unplugging a device or manipulating the PCIe slot—can trigger this vulnerability. The affected code paths are exposed when PCIe endpoints with ATS are passed through to userspace (e.g., via QEMU or DPDK) and the Intel IOMMU is configured with scalable mode disabled or unsupported. The call trace shows that the lock occurs during device release when flushing the device IOTLB, specifically in qi_flush_dev_iotlb and __context_flush_dev_iotlb [CVE description]. No authentication or special privileges are needed if physical access or a mechanism to force link removal is available.

Impact

The impact is a local system-wide denial of service. The kernel thread handling the hot-remove becomes blocked indefinitely in qi_submit_sync, and no further progress is made. All user-mode processes and other kernel activities freeze, requiring a hard reset to recover. The vulnerability is especially relevant in data-center or virtualization environments where PCIe hot-removal is used, and IOMMU scalability mode may be disabled for performance or compatibility reasons.

Mitigation

The fix for this vulnerability is included in the Linux kernel stable updates [1][2][3][4]. Users should apply the latest kernel patches that extend the disconnect check to cover the non-scalable mode path. The kernel documentation recommends ensuring that Intel IOMMU scalable mode is enabled where possible, as that path already had the pci_dev_is_disconnected() safeguard.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Linux/Kernel8 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.12.19,<5.13
    • cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:5.14:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:5.14:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:5.14:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:5.14:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:5.14:rc7:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

1