VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2026

CVE-2026-43486

CVE-2026-43486

Description

In the Linux kernel, the following vulnerability has been resolved:

arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults

contpte_ptep_set_access_flags() compared the gathered ptep_get() value against the requested entry to detect no-ops. ptep_get() ORs AF/dirty from all sub-PTEs in the CONT block, so a dirty sibling can make the target appear already-dirty. When the gathered value matches entry, the function returns 0 even though the target sub-PTE still has PTE_RDONLY set in hardware.

For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered across the CONT range. But page-table walkers that evaluate each descriptor individually (e.g. a CPU without DBM support, or an SMMU without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the unchanged target sub-PTE, causing an infinite fault loop.

Gathering can therefore cause false no-ops when only a sibling has been updated: - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared) - read faults: target still lacks PTE_AF

Fix by checking each sub-PTE against the requested AF/dirty/write state (the same bits consumed by __ptep_set_access_flags()), using raw per-PTE values rather than the gathered ptep_get() view, before returning no-op. Keep using the raw target PTE for the write-bit unfold decision.

Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT range may become the effective cached translation and software must maintain consistent attributes across the range.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Linux kernel bug in arm64 contpte_ptep_set_access_flags() can cause infinite fault loops for SMMU or non-HAFDBS CPUs by incorrectly treating a sub-PTE as already dirty when only a sibling was updated.

Vulnerability

Overview

The vulnerability resides in the Linux kernel's arm64 contiguous PTE (contpte) handling, specifically in the function contpte_ptep_set_access_flags(). The bug occurs when the function compares a gathered ptep_get() value (which ORs the Access Flag and dirty bit from all sub-PTEs in a CONT block) against the requested entry to detect no-op updates. If a sibling sub-PTE has been marked dirty, the gathered value makes the target sub-PTE appear already dirty, causing the function to return 0 without actually updating the target sub-PTE's hardware state.

Exploitation

Conditions

This issue affects page-table walkers that evaluate each descriptor individually, such as a CPU without DBM (Dirty Bit Management) support, an SMMU without HTTU (Hardware Translation Table Update), or when HA/HD are disabled in the CD.TCR (Context Descriptor Translation Control Register). In these scenarios, the walker can repeatedly fault on the unchanged target sub-PTE, leading to an infinite fault loop. The attack surface is local, requiring the ability to trigger page faults on a system with the vulnerable kernel.

Impact

An attacker who can trigger write or read faults on a specific memory region could cause a denial of service (system hang or crash) due to the infinite fault loop. The vulnerability does not directly enable privilege escalation or data leakage, but the resulting system unavailability can disrupt operations.

Mitigation

The fix, introduced in commit 97c5550b7631, changes the no-op check to examine each sub-PTE individually against the requested AF/dirty/write state, rather than using the gathered ptep_get() view. This ensures that the target sub-PTE is correctly updated when needed. The patch has been applied to the stable kernel tree [1]. Users should update to a kernel version containing this commit.

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
05d239f2c95e
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
97c5550b7631
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
6f92a7a8b48a
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
09d620555e59
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Gathering of AF/dirty bits from sibling sub-PTEs in a CONT block causes false no-op detection in contpte_ptep_set_access_flags(), leaving the target sub-PTE unchanged and triggering infinite faults for non-gathered page-table walkers."

Attack vector

An attacker with access to an SMMU or a CPU without DBM/HAFDBS support can trigger repeated page faults on a CONT-mapped page. When a sibling sub-PTE in the same CONT block has been dirtied or accessed, ptep_get() returns a gathered value that makes the target sub-PTE appear already-dirty or already-accessed. The function then returns 0 without updating the target sub-PTE, which still has PTE_RDONLY set or lacks PTE_AF. The walker faults again on the same descriptor, creating an infinite fault loop that can cause a denial of service.

Affected code

The vulnerability is in the arm64 contpte implementation, specifically in the function contpte_ptep_set_access_flags(). The bug occurs when comparing the gathered ptep_get() value (which ORs AF/dirty from all sub-PTEs in the CONT block) against the requested entry to detect no-ops. The patch files modify this comparison logic to use raw per-PTE values instead of the gathered view.

What the fix does

The patch replaces the gathered ptep_get() comparison with a per-sub-PTE check using the raw target PTE value. It compares only the AF, dirty, and write bits (the same bits consumed by __ptep_set_access_flags()) against the requested entry, rather than comparing the full gathered value. This prevents false no-op returns when a sibling sub-PTE has been updated but the target sub-PTE has not. The write-bit unfold decision continues to use the raw target PTE, which is correct. The fix ensures that each sub-PTE is individually evaluated, matching the behavior of non-gathered page-table walkers.

Preconditions

  • configSystem uses contiguous page-table entries (CONT_PTE) on arm64
  • configPage-table walker evaluates descriptors individually (e.g. SMMU without HTTU, or CPU without DBM/HAFDBS)
  • inputAttacker triggers page faults on a CONT-mapped page where a sibling sub-PTE has been dirtied/accessed but the target sub-PTE has not

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.