Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53312

CVE-2026-53312: Linux Kernel IOMMU RISC-V DoS Vulnerability

CVE-2026-53312 is a denial of service flaw in the Linux kernel IOMMU RISC-V component caused by overflow issues in the invalidation path. This article covers the technical details, affected systems, and mitigation.

Published:

CVE-2026-53312 Overview

CVE-2026-53312 is an integer overflow vulnerability in the Linux kernel's RISC-V Input-Output Memory Management Unit (IOMMU) driver. The flaw resides in the invalidation path, where the code fails to handle a gather->end value of ULONG_MAX correctly. Because RISC-V supports sign-extended page tables, this boundary value is legitimately reachable. When encountered, an arithmetic overflow in the loop termination logic causes the kernel to enter an infinite loop, resulting in a denial of service.

Critical Impact

Triggering the overflow places a CPU into an infinite loop inside kernel context, degrading system availability on affected RISC-V Linux systems.

Affected Products

  • Linux kernel with the RISC-V IOMMU driver enabled
  • Systems running on RISC-V hardware supporting sign-extended page tables
  • Distributions shipping vulnerable kernel revisions prior to the referenced stable commits

Discovery Timeline

  • 2026-06-26 - CVE-2026-53312 published to the National Vulnerability Database (NVD)
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-53312

Vulnerability Analysis

The vulnerability sits in the Linux kernel iommu/riscv subsystem, specifically along the Translation Lookaside Buffer (TLB) invalidation path. The IOMMU gather structure tracks an address range using start and end fields. On RISC-V, sign-extended page tables permit the end field to reach ULONG_MAX. The invalidation loop computes a length by adding one to the range endpoint, then advances an iterator until it exceeds end. When end equals ULONG_MAX, the +1 addition wraps to zero and the iterator comparison never terminates. The result is an unbounded loop running in kernel context.

Root Cause

The root cause is an unchecked integer overflow in address range arithmetic. The original code performs the increment on the same side of the comparison as the loop counter, allowing the sentinel value to overflow. The upstream fix moves the +1 to the opposite side of the < comparison so that neither operand can wrap. This is categorized as an Integer Overflow leading to an Infinite Loop, a Denial of Service condition affecting kernel availability.

Attack Vector

An attacker with the ability to influence IOMMU invalidation ranges — for example, through a driver, user-space process interacting with a device using IOMMU-backed Direct Memory Access (DMA) mappings, or a compromised guest on a virtualization stack — can request an invalidation covering the maximum address space. The kernel then loops indefinitely on the executing CPU, stalling scheduling and impacting workloads bound to that core.

No verified proof-of-concept code is publicly available. See the upstream commits referenced below for the fix implementation details.

Detection Methods for CVE-2026-53312

Indicators of Compromise

  • A RISC-V CPU pegged at 100% utilization in kernel mode with no forward progress in scheduler traces
  • Kernel soft lockup or Reverse Communications Unit (RCU) stall warnings originating from iommu/riscv invalidation routines
  • Device I/O timeouts on peripherals sharing the affected IOMMU domain

Detection Strategies

  • Correlate soft-lockup kernel messages with stack traces referencing RISC-V IOMMU invalidation functions
  • Compare running kernel version and commit hashes against the fixed commits 40a13b49, 9f0632b0, and e4b76877
  • Monitor for repeated IOMMU flush requests originating from a single process or virtual machine

Monitoring Recommendations

  • Ingest dmesg and journald kernel logs into a centralized logging pipeline and alert on soft lockup or rcu_sched self-detected stall events
  • Track per-CPU kernel time via node exporters and alert on sustained 100% system CPU on a single core
  • Audit workloads that program IOMMU mappings, particularly virtualization hosts running RISC-V guests

How to Mitigate CVE-2026-53312

Immediate Actions Required

  • Apply the upstream Linux kernel patches referenced in the stable tree commits 40a13b49957937427bc23e78eb50679df4396a47, 9f0632b0d4246675fa221aa1a3bffadf9c6bd9ac, and e4b7687784153481de45fd39fb97ba3919605c0c
  • Rebuild and redeploy custom RISC-V kernels from a patched stable branch
  • Restrict untrusted access to devices and workloads that can program IOMMU invalidation ranges

Patch Information

The fix is delivered as three commits in the Linux stable tree that adjust the overflow-prone arithmetic in the RISC-V IOMMU invalidation path. Reference the kernel commit 40a13b49, kernel commit 9f0632b0, and kernel commit e4b76877 for the exact changes.

Workarounds

  • Where patching is not immediately possible, restrict deployment of RISC-V kernels with the vulnerable IOMMU driver to trusted workloads only
  • Limit exposure of DMA-capable devices to untrusted user space or guest virtual machines until the patched kernel is deployed

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.