CVE-2026-43161

/* * PoC Concept for CVE-2026-43161 * This requires a system with Intel IOMMU, ATS capable device, and Scalable Mode disabled. * Triggering a device link drop (e.g., surprise removal) leads to a system hard lock. */ #include <linux/module.h> #include <linux/pci.h> static int __init poc_init(void) { struct pci_dev *pdev = NULL; // Find an ATS enabled device passed through to userspace while ((pdev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, pdev))) { if (pdev->ats_enabled) { printk(KERN_INFO "Found ATS device: %s\n", pci_name(pdev)); // Simulate the scenario where the link drops or device is removed. // In a real exploit, this is triggered by physical removal or hypervisor action. // The kernel path qi_flush_dev_iotlb will be called without checking presence. // This leads to qi_submit_sync deadlock. break; } } return 0; } static void __exit poc_exit(void) { printk(KERN_INFO "Exiting PoC.\n"); } module_init(poc_init); module_exit(poc_exit); MODULE_LICENSE("GPL");

{"cve": {"id": "CVE-2026-43161", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:34.137", "lastModified": "2026-05-13T21:20:09.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode\n\nPCIe endpoints with ATS enabled and passed through to userspace\n(e.g., QEMU, DPDK) can hard-lock the host when their link drops,\neither by surprise removal or by a link fault.\n\nCommit 4fc82cd907ac (\"iommu/vt-d: Don't issue ATS Invalidation\nrequest when device is disconnected\") adds pci_dev_is_disconnected()\nto devtlb_invalidation_with_pasid() so ATS invalidation is skipped\nonly when the device is being safely removed, but it applies only\nwhen Intel IOMMU scalable mode is enabled.\n\nWith scalable mode disabled or unsupported, a system hard-lock\noccurs when a PCIe endpoint's link drops because the Intel IOMMU\nwaits indefinitely for an ATS invalidation that cannot complete.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nCommit 81e921fd3216 (\"iommu/vt-d: Fix NULL domain on device release\")\nadds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),\nwhich calls qi_flush_dev_iotlb() and can also hard-lock the system\nwhen a PCIe endpoint's link drops.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n intel_context_flush_no_pasid\n device_pasid_table_teardown\n pci_pasid_table_teardown\n pci_for_each_dma_alias\n intel_pasid_teardown_sm_context\n intel_iommu_release_device\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nSometimes the endpoint loses connection without a link-down event\n(e.g., due to a link fault); killing the process (virsh destroy)\nthen hard-locks the host.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n __iommu_attach_device\n __iommu_device_set_domain\n __iommu_group_set_domain_internal\n iommu_detach_group\n vfio_iommu_type1_detach_group\n vfio_group_detach_container\n vfio_group_fops_release\n __fput\n\npci_dev_is_disconnected() only covers safe-removal paths;\npci_device_is_present() tests accessibility by reading\nvendor/device IDs and internally calls pci_dev_is_disconnected().\nOn a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.\n\nSince __context_flush_dev_iotlb() is only called on\n{attach,release}_dev paths (not hot), add pci_device_is_present()\nthere to skip inaccessible devices and avoid the hard-lock."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12.19", "versionEndExcluding": "5.13", "matchCriteriaId": "8C2A0F7A-34D9-4DE2-893B-3C8AB10FFB6A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13.4", "versionEndExcluding": "5.14", "matchCriteriaId": "B6D2AA29-7EC0-4F37-94E7-CF564CCEF770"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14.1", "versionEndExcluding": "6.12.77", "matchCriteriaId": "44437941-390C-4B72-BE02-59B97C0C1F02"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2. ... (truncated)