CVE-2026-43064 Overview
CVE-2026-43064 is a resource management flaw in the Linux kernel's idxd dmaengine driver. The driver supports Intel Data Streaming Accelerator (DSA) and Intel In-Memory Analytics Accelerator (IAA) devices. The workqueue associated with a DSA or IAA device is not released when the device object is freed. Each release path therefore leaks the kernel workqueue allocation, causing unbounded resource consumption over repeated bind and unbind cycles.
Critical Impact
Repeated DSA/IAA device release operations leak kernel workqueues, leading to memory exhaustion and degraded system stability on hosts that use Intel accelerator hardware.
Affected Products
- Linux kernel builds with the idxd dmaengine driver enabled (CONFIG_INTEL_IDXD)
- Systems using Intel Data Streaming Accelerator (DSA) hardware
- Systems using Intel In-Memory Analytics Accelerator (IAA) hardware
Discovery Timeline
- 2026-05-05 - CVE-2026-43064 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43064
Vulnerability Analysis
The idxd driver in drivers/dma/idxd/ manages Intel DSA and IAA accelerators. Each work queue (wq) associated with these devices has a backing kernel workqueue created during configuration. When the device object reaches its .release() callback, the driver frees the surrounding structures but does not call destroy_workqueue() on the associated kernel workqueue. The workqueue allocation, including its worker pool references and per-CPU data, persists in kernel memory after the parent object is gone.
Repeated cycles of configuring, enabling, disabling, and releasing wqs accumulate orphaned workqueues. This produces a slow but deterministic kernel memory leak. The flaw is a classic resource cleanup bug rather than an exploitable memory corruption primitive, and it requires local privileges to manipulate the accelerator devices.
Root Cause
The root cause is missing teardown logic in the device release path. The driver allocates a workqueue during initialization but the matching destroy_workqueue() call was absent from the .release() handler. The fix adds the release call so the workqueue is destroyed in lockstep with the parent object, restoring symmetric allocation and free semantics.
Attack Vector
Exploitation requires local access and the ability to bind, configure, or unbind idxd devices, which is normally restricted to privileged users or the accel-config tooling. A user with these privileges who repeatedly cycles wq state can exhaust kernel memory and degrade host availability. The vulnerability does not provide code execution or privilege escalation. Refer to the upstream commits for technical detail, including Kernel Git Commit 2bb9e9e and Kernel Git Commit fd4cb61.
Detection Methods for CVE-2026-43064
Indicators of Compromise
- Steady growth of kernel Slab and KernelStack values in /proc/meminfo on hosts with DSA or IAA hardware
- Increasing count of kworker threads or workqueue entries in /sys/kernel/debug/workqueue/ over time
- Repeated idxd bind/unbind events in dmesg correlated with rising kernel memory consumption
Detection Strategies
- Audit kernel package versions across the fleet and flag hosts running unpatched idxd builds with DSA or IAA devices present in lspci output
- Track long-term trends in kernel memory utilization on accelerator-equipped hosts and alert on sustained upward drift without a corresponding workload change
- Inspect /sys/bus/dsa/devices/ and /sys/bus/iax/devices/ lifecycle events through audit logging to detect frequent reconfiguration of wqs
Monitoring Recommendations
- Forward kernel memory metrics and dmesg logs to a centralized analytics platform for longitudinal analysis
- Build dashboards that correlate idxd device state changes with workqueue counts and slab growth
- Alert when host uptime combined with kernel memory growth exceeds an established baseline for accelerator hosts
How to Mitigate CVE-2026-43064
Immediate Actions Required
- Apply the upstream stable kernel updates that include the idxd release-path fix to all hosts using DSA or IAA hardware
- Reboot patched hosts to clear previously leaked workqueues from kernel memory
- Restrict access to accel-config and idxd sysfs interfaces to administrators who require accelerator management
Patch Information
The fix adds the missing workqueue teardown to the idxd device .release() path. It has been backported across multiple stable trees. Reference the upstream commits: Kernel Git Commit 3d33de3, Kernel Git Commit 958e965, Kernel Git Commit d02c24a, and Kernel Git Commit fc34f19. Distribution-specific advisories from Red Hat, SUSE, Debian, and Ubuntu typically follow the upstream stable releases.
Workarounds
- Avoid repeated bind/unbind and reconfiguration cycles of DSA and IAA wqs on unpatched hosts
- Schedule periodic reboots on long-running accelerator hosts to release accumulated kernel workqueue allocations
- Disable the idxd driver via module blacklist on systems that do not require DSA or IAA acceleration
# Blacklist the idxd driver on systems that do not require DSA/IAA
echo 'blacklist idxd' | sudo tee /etc/modprobe.d/blacklist-idxd.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
