HOMEVULNERABILITIESCVE-2026-23361
NONE

CVE-2026-23361

Published: March 25, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.3th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry

Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X

interrupt to the host using a writel(), which generates a PCI posted write

transaction. There's no completion for posted writes, so the writel() may

return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also

unmaps the outbound ATU entry used for the PCI write, so the write races

with the unmap.

If the PCI write loses the race with the ATU unmap, the write may corrupt

host memory or cause IOMMU errors, e.g., these when running fio with a

larger queue depth against nvmet-pci-epf:

arm-smmu-v3 fc900000.iommu: 0x0000010000000010

arm-smmu-v3 fc900000.iommu: 0x0000020000000000

arm-smmu-v3 fc900000.iommu: 0x000000090000f040

arm-smmu-v3 fc900000.iommu: 0x0000000000000000

arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0

arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0

Flush the write by performing a readl() of the same address to ensure that

the write has reached the destination before the ATU entry is unmapped.

The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit

8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there

it was solved by dedicating an outbound iATU only for MSI. We can't do the

same for MSI-X because each vector can have a different msg_addr and the

msg_addr may be changed while the vector is masked.

[bhelgaas: commit log]

NVD Source

Technical Analysis

CVE-2026-23361 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-23361
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23361 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.