HOMEVULNERABILITIESCVE-2026-43161
NONE

CVE-2026-43161

Published: May 6, 2026· Updated: May 6, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode

PCIe endpoints with ATS enabled and passed through to userspace

(e.g., QEMU, DPDK) can hard-lock the host when their link drops,

either by surprise removal or by a link fault.

Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation

request when device is disconnected") adds pci_dev_is_disconnected()

to devtlb_invalidation_with_pasid() so ATS invalidation is skipped

only when the device is being safely removed, but it applies only

when Intel IOMMU scalable mode is enabled.

With scalable mode disabled or unsupported, a system hard-lock

occurs when a PCIe endpoint's link drops because the Intel IOMMU

waits indefinitely for an ATS invalidation that cannot complete.

Call Trace:

qi_submit_sync

qi_flush_dev_iotlb

__context_flush_dev_iotlb.part.0

domain_context_clear_one_cb

pci_for_each_dma_alias

device_block_translation

blocking_domain_attach_dev

iommu_deinit_device

__iommu_group_remove_device

iommu_release_device

iommu_bus_notifier

blocking_notifier_call_chain

bus_notify

device_del

pci_remove_bus_device

pci_stop_and_remove_bus_device

pciehp_unconfigure_device

pciehp_disable_slot

pciehp_handle_presence_or_link_change

pciehp_ist

Commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release")

adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),

which calls qi_flush_dev_iotlb() and can also hard-lock the system

when a PCIe endpoint's link drops.

Call Trace:

qi_submit_sync

qi_flush_dev_iotlb

__context_flush_dev_iotlb.part.0

intel_context_flush_no_pasid

device_pasid_table_teardown

pci_pasid_table_teardown

pci_for_each_dma_alias

intel_pasid_teardown_sm_context

intel_iommu_release_device

iommu_deinit_device

__iommu_group_remove_device

iommu_release_device

iommu_bus_notifier

blocking_notifier_call_chain

bus_notify

device_del

pci_remove_bus_device

pci_stop_and_remove_bus_device

pciehp_unconfigure_device

pciehp_disable_slot

pciehp_handle_presence_or_link_change

pciehp_ist

Sometimes the endpoint loses connection without a link-down event

(e.g., due to a link fault); killing the process (virsh destroy)

then hard-locks the host.

Call Trace:

qi_submit_sync

qi_flush_dev_iotlb

__context_flush_dev_iotlb.part.0

domain_context_clear_one_cb

pci_for_each_dma_alias

device_block_translation

blocking_domain_attach_dev

__iommu_attach_device

__iommu_device_set_domain

__iommu_group_set_domain_internal

iommu_detach_group

vfio_iommu_type1_detach_group

vfio_group_detach_container

vfio_group_fops_release

__fput

pci_dev_is_disconnected() only covers safe-removal paths;

pci_device_is_present() tests accessibility by reading

vendor/device IDs and internally calls pci_dev_is_disconnected().

On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.

Since __context_flush_dev_iotlb() is only called on

{attach,release}_dev paths (not hot), add pci_device_is_present()

there to skip inaccessible devices and avoid the hard-lock.

NVD Source

Technical Analysis

CVE-2026-43161 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-43161
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43161 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.