CVE-2026-43486: Linux Kernel Privilege Escalation Flaw

CVE-2026-43486 Overview

CVE-2026-43486 is a Linux kernel vulnerability in the arm64 contiguous PTE (contpte) handling code. The flaw resides in contpte_ptep_set_access_flags(), which incorrectly evaluates page table entries when determining if an access-flag update is a no-op. The function compares a gathered ptep_get() value against the requested entry, but ptep_get() ORs the Access Flag (AF) and dirty bits across all sub-PTEs in a contiguous block. This can cause page-table walkers without hardware Dirty Bit Management (DBM), such as System Memory Management Units (SMMUs) lacking Hardware Translation Table Updates (HTTU), to enter an infinite fault loop on the unchanged target sub-PTE.

Critical Impact

Affected systems can experience denial of service through infinite SMMU/ATS fault loops when CPUs lack FEAT_HAFDBS or HTTU is disabled.

Affected Products

• Linux kernel on arm64 platforms using contiguous PTE mappings
• Systems with SMMUs lacking HTTU support or with HA/HD disabled in CD.TCR
• arm64 CPUs without DBM (Dirty Bit Management) hardware support

Discovery Timeline

• 2026-05-13 - CVE-2026-43486 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-43486

Vulnerability Analysis

The vulnerability stems from a flawed no-op detection in contpte_ptep_set_access_flags() within the arm64 contiguous PTE handling logic. The function uses ptep_get() to retrieve the current PTE state before comparing it to the requested entry. However, ptep_get() returns a gathered view that ORs the Access Flag and dirty bits across every sub-PTE in the contiguous block.

When a sibling sub-PTE within the same CONT range carries dirty or AF bits, the gathered value makes the target sub-PTE appear already updated. The function then returns 0, signaling no work needed, even though the target sub-PTE still has PTE_RDONLY set in hardware or still lacks PTE_AF.

For CPUs implementing FEAT_HAFDBS, this gathered view aligns with hardware behavior because the CPU may set AF or dirty on any sub-PTE in the range. The TLB treats CONT entries as gathered. However, page-table walkers that evaluate each descriptor individually do not share this behavior.

Root Cause

The root cause is an inconsistency between the gathered semantics of ptep_get() and the per-descriptor semantics of certain page-table walkers. Walkers such as an SMMU without HTTU, an SMMU with HA/HD disabled in the Context Descriptor TCR, or a CPU without DBM read each sub-PTE individually. Per Arm ARM (DDI 0487) section D8.7.1, any sub-PTE in a CONT range may become the effective cached translation, requiring software to maintain consistent attributes across the range.

Attack Vector

A process or DMA-capable device triggering write faults on a target sub-PTE while a sibling sub-PTE in the same CONT block is already dirty causes the kernel to skip the required PTE_RDONLY clear. The walker continues to see the read-only state and re-faults indefinitely. Read faults exhibit the same pattern when the target lacks PTE_AF but a sibling has it set. The fix evaluates each sub-PTE against the requested AF, dirty, and write state using raw per-PTE values before returning a no-op.

The vulnerability mechanism does not involve crafted shellcode. See the kernel commits referenced below for the patch details.

Detection Methods for CVE-2026-43486

Indicators of Compromise

• Repeated SMMU translation fault events logged against the same Input/Output Virtual Address (IOVA) without forward progress
• Kernel soft lockup warnings or watchdog timeouts on arm64 systems performing heavy I/O via SMMU/ATS
• High CPU utilization in fault handlers correlating with workloads that exercise contiguous PTE mappings

Detection Strategies

• Monitor dmesg for repeated arm-smmu-v3 event entries indicating C_BAD_STE, translation faults, or stalled transactions on identical addresses
• Audit kernel version and arm64 CPU feature flags via /proc/cpuinfo to identify systems without FEAT_HAFDBS
• Inspect SMMU Context Descriptor configuration to identify devices operating with HA/HD disabled in CD.TCR

Monitoring Recommendations

• Track per-device SMMU fault counters in /sys/kernel/debug/iommu/ on affected arm64 platforms
• Alert on sustained fault rates above baseline for ATS-enabled PCIe devices
• Correlate kernel fault traces with workload patterns that allocate large transparent hugepages or use mTHP backed by contiguous PTE mappings

How to Mitigate CVE-2026-43486

Immediate Actions Required

• Apply the upstream Linux kernel patches from the referenced stable tree commits to all arm64 systems using SMMU or ATS without HTTU support
• Inventory arm64 hosts and identify those lacking FEAT_HAFDBS or running SMMU configurations with HA/HD disabled
• Prioritize patching on systems exposed to untrusted workloads that can trigger contiguous PTE write faults at scale

Patch Information

The fix is available in upstream Linux kernel stable commits 05d239f2c95e, 09d620555e59, 6f92a7a8b48a, and 97c5550b7631. The patch changes contpte_ptep_set_access_flags() to evaluate each sub-PTE against the requested AF, dirty, and write state using raw per-PTE values rather than the gathered ptep_get() view before returning no-op.

Workarounds

• Where supported, enable HA/HD bits in the SMMU Context Descriptor CD.TCR to align walker behavior with CPU gathering semantics
• Disable transparent hugepage and multi-size THP features that produce contiguous PTE mappings on affected arm64 platforms until patched
• Restrict DMA-capable workloads on ATS-enabled devices to trusted tenants pending kernel update deployment

# Verify kernel version and apply distribution-provided update
uname -r
# Example: update to a patched kernel via the distribution package manager
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r | sed 's/[^-]*-[^-]*-//')