CVE-2026-43220

Vulnerability

CVE-2026-43220 is a race condition in the AMD IOMMU driver for the Linux kernel's IOMMU subsystem. The root cause is that the cmd_sem_val counter, used to allocate completion sequence numbers for CMD_COMPL_WAIT commands, was incremented outside the IOMMU spinlock (iommu->lock). Under concurrent TLB invalidations, this allowed multiple threads to obtain the same sequence number or to queue CMD_COMPL_WAIT commands out of order, breaking the ordering assumption in the wait_on_sem() function and causing completion wait operations to randomly time out [1][1][2][3][4].

Exploitation

An attacker would need to be able to trigger concurrent TLB invalidations on a system using the AMD IOMMU. This could exploit this race condition. The vulnerability is triggered by normal IOMMU operations under high concurrency, not requiring any special privileges beyond the ability to initiate DMA or device passthrough operations that cause TLB invalidations. The race window is small but can be reliably hit under heavy I/O load.

Impact

A successful exploitation leads to IOMMU command completion wait timeouts, which can cause system instability, I/O errors, or denial of service. The impact is limited to availability (CVSS v3 base score 5.5, Medium severity) as the vulnerability does not allow privilege escalation or information disclosure.

Mitigation

The fix moves the cmd_sem_val increment inside the iommu->lock spinlock, serializing sequence allocation with command queuing. The fix has been applied to remove an unnecessary return statement is also included. Patches have been applied to the Linux kernel stable branches [1][2][3][4]. Users should update to a kernel version containing the fix commit d51bf43193b1 or later.