CVE-2026-23361 Overview
A race condition vulnerability has been identified in the Linux kernel's PCI DesignWare Controller (DWC) endpoint driver. The issue occurs in the dw_pcie_ep_raise_msix_irq() function, where MSI-X interrupt writes may not complete before the associated Address Translation Unit (ATU) entry is unmapped. This race condition can result in host memory corruption or IOMMU errors.
Critical Impact
Successful exploitation of this race condition can lead to host memory corruption or IOMMU translation faults, potentially causing system instability or data corruption in affected Linux kernel deployments.
Affected Products
- Linux kernel with PCI DesignWare Controller endpoint support
- Systems using NVMe over PCI Endpoint Function (nvmet-pci-epf)
- ARM-based systems with SMMU-v3 IOMMU
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23361 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23361
Vulnerability Analysis
The vulnerability exists in the Linux kernel's PCI DWC endpoint driver, specifically in how MSI-X interrupts are raised. The dw_pcie_ep_raise_msix_irq() function uses writel() to generate a PCI posted write transaction for raising an MSI-X interrupt to the host. However, since PCI posted writes have no completion acknowledgment, the writel() call may return before the PCI write operation actually completes on the bus.
Immediately after the write operation, the driver unmaps the outbound ATU entry that was used for the PCI write. This creates a race condition where the PCI write may still be in progress when the ATU entry is invalidated. If the ATU unmap wins the race, the in-flight write can target invalid memory addresses.
Observable symptoms of this vulnerability include ARM SMMU-v3 IOMMU translation fault events (F_TRANSLATION) and potential host memory corruption. The issue is particularly reproducible when running high-throughput workloads like fio with larger queue depths against nvmet-pci-epf.
Root Cause
The root cause is a Time-of-Check Time-of-Use (TOCTOU) race condition between the PCI posted write operation and the ATU entry unmapping. The driver fails to ensure the write has reached its destination before invalidating the memory mapping, violating the ordering requirements for PCI transactions.
A similar issue was previously addressed for MSI (not MSI-X) interrupts in commit 8719c64e76bf, which solved the problem by dedicating a persistent outbound iATU entry for MSI. However, this approach cannot be applied to MSI-X because each vector may have a different msg_addr that can change while the vector is masked.
Attack Vector
This vulnerability is triggered through normal driver operation under high-load conditions rather than direct external attack. The race condition manifests when:
- An endpoint driver calls dw_pcie_ep_raise_msix_irq() to signal the host
- A writel() initiates a PCI posted write transaction
- Before the write completes on the PCI bus, the function proceeds to unmap the ATU entry
- The in-flight write fails or corrupts memory due to the invalidated mapping
The vulnerability can lead to IOMMU translation faults with error signatures similar to the following pattern observed in system logs: ARM SMMU-v3 reporting F_TRANSLATION events with unprivileged data write faults indicating "Input address caused fault."
Detection Methods for CVE-2026-23361
Indicators of Compromise
- ARM SMMU-v3 IOMMU F_TRANSLATION events in system logs with "Input address caused fault" messages
- Unexpected system instability or crashes during high-throughput PCI endpoint workloads
- Memory corruption signatures in host memory regions associated with PCI device communication
Detection Strategies
- Monitor kernel logs for ARM SMMU translation fault events using log aggregation tools
- Implement system monitoring for unexpected PCI device errors or IOMMU faults during NVMe endpoint operations
- Deploy kernel tracing (ftrace or eBPF) on dw_pcie_ep_raise_msix_irq() to identify potential race condition triggers
Monitoring Recommendations
- Enable IOMMU fault reporting and alerting on systems running affected kernel configurations
- Monitor for elevated rates of PCI bus errors or memory corruption events during endpoint device operations
- Implement baseline monitoring for systems using nvmet-pci-epf to detect anomalous behavior patterns
How to Mitigate CVE-2026-23361
Immediate Actions Required
- Apply the kernel patches referenced in the security commits to affected systems
- Reduce queue depth for workloads using nvmet-pci-epf as a temporary mitigation if patching is not immediately possible
- Monitor systems for IOMMU fault events and schedule maintenance windows for patching
Patch Information
The fix adds a readl() flush operation to ensure the MSI-X write has reached its destination before the ATU entry is unmapped. Multiple kernel stable commits have been released to address this vulnerability:
Workarounds
- Reduce I/O queue depth for workloads interacting with PCI endpoint devices to lower the probability of triggering the race condition
- If possible, temporarily disable MSI-X and fall back to MSI or legacy interrupts until patching is complete
- Implement additional monitoring to detect and respond to IOMMU faults as an interim measure
# Example: Reduce NVMe queue depth as temporary workaround
echo 32 > /sys/module/nvme/parameters/io_queue_depth
# Verify current IOMMU fault status
dmesg | grep -i "arm-smmu\|iommu\|translation"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
