CVE-2026-31735 Overview
CVE-2026-31735 affects the Linux kernel's IOMMU page table (iommupt) subsystem. The flaw resides in the unmap path, which can unmap more than requested when the requested ending point falls within a large or contiguous I/O Page Table Entry (IOPTE). The associated gather operation only flushed the originally requested range rather than the extended range that was actually unmapped, producing a short invalidation. The issue was identified through a new invalidation and gather test prepared for ARMv8 support, and the upstream commit notes that the root cause analysis was assisted by Claude.
Critical Impact
A short IOMMU invalidation can leave stale device translations active for memory that the kernel has unmapped, undermining IOMMU isolation guarantees on affected systems.
Affected Products
- Linux Kernel mainline development versions 7.0-rc1 through 7.0-rc6
- Stable trees referenced by commits 50ecd96a28f7 and ee6e69d03255
- Systems using the iommupt page table implementation
Discovery Timeline
- 2026-05-01 - CVE-2026-31735 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31735
Vulnerability Analysis
The Linux kernel IOMMU framework permits an unmap operation to remove more memory than the caller requested. This occurs when the requested unmap end address lands inside a large page or contiguous IOPTE. The kernel correctly tears down the entire IOPTE because partial removal is not representable.
The defect lies in the iommu_iotlb_gather accounting. The gather structure tracks the address range that must be flushed from the IOMMU TLB. The original code recorded only the caller-requested range. When the unmap silently expanded across a large IOPTE, the gather range did not expand with it.
When the driver later issues iotlb_sync, it flushes a window smaller than the memory actually unmapped. Stale translations covering the extended region remain valid in the IOMMU TLB. A device using those cached translations can continue to access pages the kernel considers detached from the I/O virtual address space. The upstream author notes that no current caller is known to unmap a partial large entry, so the condition is unlikely to be triggered in practice.
Root Cause
The gather range update logic in the iommupt unmap path failed to widen the flush window to match the actual unmap extent. The fix expands the gather to cover the full IOPTE that was torn down, ensuring TLB invalidation matches the memory removed from translation.
Attack Vector
The CVSS vector indicates a local attack path requiring low privileges and no user interaction. Exploitation requires a kernel caller that unmaps into the middle of a large or contiguous IOPTE, a pattern not present in current in-tree callers. Successful triggering would leave a device able to read or write host memory after the kernel believes the mapping was torn down. The vulnerability is described by the maintainer as likely not triggerable through existing code paths.
No public proof-of-concept exists, and the CWE is recorded as [NVD-CWE-noinfo].
Detection Methods for CVE-2026-31735
Indicators of Compromise
- No file-based or network indicators apply because the defect is a kernel logic flaw in IOMMU TLB invalidation accounting.
- Unexpected device DMA to memory regions previously unmapped through iommu_unmap is a behavioral signal consistent with stale TLB entries.
- Kernel log entries from IOMMU drivers reporting translation faults shortly after large-region unmap operations may indicate residual cached translations.
Detection Strategies
- Inventory kernel build versions across the fleet and flag hosts running Linux 7.0-rc1 through 7.0-rc6 without the upstream fix commits applied.
- Track uname -r output through configuration management and correlate against the patched stable tags referenced by commits 50ecd96a28f7 and ee6e69d03255.
- Audit out-of-tree IOMMU drivers and any custom callers of iommu_unmap for code paths that could unmap partial large IOPTEs.
Monitoring Recommendations
- Enable IOMMU driver debug logging on systems handling untrusted PCIe devices to capture invalidation anomalies.
- Monitor for elevated rates of IOMMU page faults following kernel updates or device hot-plug events.
- Alert on unexpected loading of kernel modules that interact with the iommupt subsystem on production hosts.
How to Mitigate CVE-2026-31735
Immediate Actions Required
- Apply the upstream fixes referenced by Kernel Git Commit Reference and Kernel Git Commit Update.
- Rebuild and redeploy any custom kernels based on Linux 7.0-rc1 through 7.0-rc6 after merging the patch.
- Restrict local low-privilege access on systems that cannot be patched immediately, since exploitation requires a local context.
Patch Information
The fix is committed to the upstream stable tree. Reference commits 50ecd96a28f712f8b682c0441f4cb9b086d28816 and ee6e69d032550687a3422504bfca3f834c7b5061 extend the iommu_iotlb_gather range to cover the full IOPTE removed during an iommu_unmap call. Distributions consuming the affected release candidates should pull the corrected commits before publishing stable kernels.
Workarounds
- No vendor-supplied workaround replaces the patch; the only remediation is updating to a kernel containing the fix commits.
- Avoid running pre-release 7.0-rc kernels on production systems exposed to untrusted DMA-capable devices.
- Where pre-release kernels are required, limit attached PCIe and assigned devices to trusted hardware until the fix is merged into the deployed build.
# Verify the running kernel and confirm the fix commits are present
uname -r
git -C /usr/src/linux log --oneline | grep -E '50ecd96a28f7|ee6e69d03255'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
