CVE-2026-43161: Linux Kernel IOMMU VT-d DoS Vulnerability

CVE-2026-43161 Overview

CVE-2026-43161 is a Linux kernel denial-of-service flaw in the Intel VT-d IOMMU driver. The issue affects PCIe endpoints with Address Translation Services (ATS) enabled and passed through to userspace via VFIO (e.g., QEMU, DPDK). When such a device experiences a link drop through surprise removal or a link fault, the host can hard-lock because the IOMMU waits indefinitely for an ATS invalidation that cannot complete. The defect occurs when Intel IOMMU scalable mode is disabled or unsupported, leaving prior fixes ineffective. Killing a misbehaving guest process such as virsh destroy can also trigger the lock.

Critical Impact

A surprise PCIe link drop or link fault on a passthrough device can hard-lock the entire host, preventing recovery without a power cycle.

Affected Products

• Linux kernel with Intel VT-d IOMMU driver and PCIe ATS passthrough
• Hosts running VFIO-based virtualization (QEMU/KVM) with PCIe passthrough
• DPDK and similar userspace drivers using passthrough PCIe endpoints

Discovery Timeline

• 2026-05-06 - CVE-2026-43161 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-43161

Vulnerability Analysis

The vulnerability resides in the Intel VT-d IOMMU device-IOTLB invalidation path. When a PCIe endpoint with ATS enabled becomes inaccessible, the kernel still attempts to issue ATS invalidation requests through qi_flush_dev_iotlb() and qi_submit_sync(). Because the device cannot acknowledge the invalidation, the queued invalidation interface stalls indefinitely under spinlock, hard-locking the host CPU.

A prior commit, 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected"), introduced pci_dev_is_disconnected() in devtlb_invalidation_with_pasid() but only on the scalable-mode path. With scalable mode disabled, code paths such as domain_context_clear_one_cb() and intel_pasid_teardown_sm_context() still reach qi_flush_dev_iotlb() and stall.

Root Cause

The root cause is incomplete coverage of the disconnect check across IOMMU teardown paths [CWE-833 deadlock category]. pci_dev_is_disconnected() only flags devices undergoing a safe removal flow. Devices that vanish without a link-down event, such as those failing through a link fault, remain marked present and the IOMMU continues to issue invalidations that will never complete.

Attack Vector

The condition can be triggered by surprise hot-removal of a passthrough PCIe device, a physical link fault on the endpoint, or terminating a virtual machine that owns a passthrough device whose link has silently failed. The fix replaces the disconnect check with pci_device_is_present(), which performs a configuration-space read of vendor/device IDs to test real accessibility, and applies it in __context_flush_dev_iotlb(). The probe costs roughly 70 µs on a ConnectX-5 endpoint and runs only on attach and release paths, not on hot data paths. The corrected behavior is implemented in upstream commits 42662d1, 48b3f08, bc0490a, and e70d5fe.

Detection Methods for CVE-2026-43161

Indicators of Compromise

• Host hang or unresponsive console immediately following a PCIe hot-remove, pciehp slot disable, or VM teardown event involving a passthrough device.
• Pre-hang kernel call traces containing qi_submit_sync, qi_flush_dev_iotlb, __context_flush_dev_iotlb, and pciehp_ist or vfio_iommu_type1_detach_group.
• dmesg entries referencing Intel IOMMU invalidation timeouts on hosts running VFIO passthrough workloads.

Detection Strategies

• Inventory hosts where intel_iommu=on is set without sm_on (scalable mode), as those configurations match the unsafe code path.
• Correlate pciehp link-change events with subsequent VM crashes, host watchdog resets, or NMI-triggered reboots.
• Audit kernel versions on virtualization hosts to identify systems missing the upstream fix commits referenced above.

Monitoring Recommendations

• Forward kernel ring-buffer messages and IPMI/BMC watchdog events to a centralized logging or SIEM platform for correlation with VM lifecycle activity.
• Alert on PCIe AER (Advanced Error Reporting) link errors on hosts hosting VFIO-attached endpoints.
• Track virtualization control-plane operations such as virsh destroy against hosts that subsequently lose responsiveness.

How to Mitigate CVE-2026-43161

Immediate Actions Required

• Apply a kernel build that includes the upstream fixes 42662d1, 48b3f08, bc0490a, and e70d5fe.
• Reschedule virtualization workloads using PCIe passthrough off unpatched hosts where surprise removal is plausible.
• Verify distribution kernel update channels for backports addressing Intel VT-d ATS invalidation hangs.

Patch Information

The fix adds a pci_device_is_present() check inside __context_flush_dev_iotlb() so the IOMMU skips device-IOTLB invalidations on inaccessible endpoints regardless of scalable-mode configuration. The change is upstream in the Linux kernel; consult your distribution's stable kernel update for backport availability.

Workarounds

• Enable Intel IOMMU scalable mode via the intel_iommu=on,sm_on kernel command line where the platform supports it, which activates the prior pci_dev_is_disconnected() guard.
• Avoid surprise hot-removal of passthrough PCIe endpoints and use orderly device detach through the hypervisor before physical removal.
• Restrict PCIe ATS passthrough to devices and slots that are not subject to physical or fabric-level link faults.

# Configuration example: enable scalable mode as a partial workaround
# Edit /etc/default/grub and append to GRUB_CMDLINE_LINUX:
intel_iommu=on,sm_on iommu=pt

# Then regenerate grub configuration
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
sudo reboot

# Verify scalable mode is active
dmesg | grep -i "DMAR.*scalable"