CVE-2026-45944 Overview
CVE-2026-45944 is a race condition in the Linux kernel Intel VT-d Input/Output Memory Management Unit (IOMMU) driver. The flaw exists in the iommu/vt-d subsystem during context entry teardown. The driver zeroes a 128-bit context entry using multiple 64-bit writes, creating a window where the hardware can fetch a partially cleared entry while the Present bit is still set. This torn read can produce unpredictable IOMMU behavior or spurious faults. The kernel maintainers resolved the issue by following the ownership handshake described in Section 6.5.3.3 of the VT-d specification.
Critical Impact
Hardware reading a torn context entry can trigger unpredictable IOMMU behavior or spurious DMA faults on Intel VT-d systems.
Affected Products
- Linux kernel iommu/vt-d driver
- Systems using Intel Virtualization Technology for Directed I/O (VT-d)
- Kernel branches receiving stable backports referenced by commits a922dbaf, c1e4f1dc, and d2138abc
Discovery Timeline
- 2026-05-27 - CVE-2026-45944 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45944
Vulnerability Analysis
The Intel VT-d IOMMU uses 128-bit context entries to describe DMA translation state for each PCI function. When the kernel tears down a context entry, it zeros both 64-bit halves to release the mapping. The original implementation issued these writes without first clearing the Present (P) bit. Because the IOMMU hardware fetches context entries asynchronously, it can read an entry mid-update where some fields are already zero but the Present bit remains set. The hardware then treats the partially zeroed entry as valid, producing undefined translation behavior or spurious faults. This is a race condition [CWE-362] between software updates and hardware fetches.
Root Cause
The root cause is the lack of an ownership handshake during teardown. While x86 provides strong write ordering between CPUs, the compiler is free to reorder writes to the two 64-bit halves of the context entry. Even with correct ordering, the hardware fetch is not atomic with respect to multiple CPU writes. The teardown path also omitted a write memory barrier (dma_wmb()) before the cache and context-cache invalidation, leaving no guarantee that the IOMMU observed software state changes in the intended order.
Attack Vector
The issue is triggered by normal teardown paths during device detach, driver unbind, or VFIO passthrough operations. No remote attack vector is documented. The condition is timing-dependent and produces system-visible faults or translation anomalies rather than direct privilege escalation. The fix, applied in commits a922dbaf, c1e4f1dc, and d2138abc, clears only the Present bit first, issues dma_wmb(), performs cache and context-cache invalidation, and only then fully zeros the entry. A matching dma_wmb() was added to context_set_present() to ensure full initialization before the Present bit becomes visible.
Detection Methods for CVE-2026-45944
Indicators of Compromise
- Spurious DMA Remapping (DMAR) fault messages in dmesg referencing context entries during device detach or driver unbind
- Unexpected IOMMU translation faults logged near VFIO device passthrough teardown events
- Kernel warnings from the intel-iommu driver during PCI hot-unplug operations
Detection Strategies
- Inventory Linux hosts running on Intel platforms with VT-d enabled and compare running kernel versions against the patched commits a922dbaf, c1e4f1dc, and d2138abc
- Monitor kernel logs for DMAR: fault entries correlated with device removal or virtualization workload churn
- Review virtualization hosts using VFIO or PCI passthrough for sporadic guest DMA failures that lack an obvious application cause
Monitoring Recommendations
- Forward dmesg and journalctl output to a centralized log platform and alert on DMAR and intel-iommu fault patterns
- Track kernel package versions across the fleet to confirm the IOMMU fix has been deployed
- Capture host-level performance and fault telemetry on hypervisors performing frequent device attach/detach cycles
How to Mitigate CVE-2026-45944
Immediate Actions Required
- Identify Linux hosts using Intel VT-d and prioritize kernel updates that include the upstream fix
- Apply distribution-provided kernel updates that backport commits a922dbaf, c1e4f1dc, and d2138abc
- Reboot affected systems after patching to load the corrected intel-iommu driver
Patch Information
The fix is available in the upstream Linux kernel via three stable commits: Kernel Git Commit a922dbaf, Kernel Git Commit c1e4f1dc, and Kernel Git Commit d2138abc. The patch clears the Present bit, issues dma_wmb(), invalidates the context cache, and only then fully zeros the context entry. Apply the kernel update shipped by your Linux distribution.
Workarounds
- No supported workaround exists in the driver; the corrected teardown sequence requires the upstream patch
- Where patching is delayed, minimize PCI device hot-unplug and VFIO passthrough churn on affected hosts to reduce exposure to the race window
- Consider disabling VT-d only if business requirements allow, accepting the loss of DMA isolation that this provides
# Verify running kernel version and IOMMU status
uname -r
dmesg | grep -iE 'DMAR|IOMMU|intel-iommu'
# Confirm distribution kernel package includes the fix
# Example for Debian/Ubuntu:
apt list --installed 2>/dev/null | grep linux-image
# Example for RHEL/CentOS/Fedora:
rpm -q kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
