CVE-2026-23361 (GCVE-0-2026-23361)

Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:05
VLAI?
Title
PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry
Summary
In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write transaction. There's no completion for posted writes, so the writel() may return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also unmaps the outbound ATU entry used for the PCI write, so the write races with the unmap. If the PCI write loses the race with the ATU unmap, the write may corrupt host memory or cause IOMMU errors, e.g., these when running fio with a larger queue depth against nvmet-pci-epf: arm-smmu-v3 fc900000.iommu: 0x0000010000000010 arm-smmu-v3 fc900000.iommu: 0x0000020000000000 arm-smmu-v3 fc900000.iommu: 0x000000090000f040 arm-smmu-v3 fc900000.iommu: 0x0000000000000000 arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0 arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0 Flush the write by performing a readl() of the same address to ensure that the write has reached the destination before the ATU entry is unmapped. The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit 8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there it was solved by dedicating an outbound iATU only for MSI. We can't do the same for MSI-X because each vector can have a different msg_addr and the msg_addr may be changed while the vector is masked. [bhelgaas: commit log]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: beb4641a787df79a1423a8789d185b6b78fcbfea , < a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0 (git)
Affected: beb4641a787df79a1423a8789d185b6b78fcbfea , < 6f60a783860c77b309f7d81003b6a0c73feca49e (git)
Affected: beb4641a787df79a1423a8789d185b6b78fcbfea , < eaa6a56801ddd2d9b4980f19e7fe002b00994804 (git)
Affected: beb4641a787df79a1423a8789d185b6b78fcbfea , < c22533c66ccae10511ad6a7afc34bb26c47577e3 (git)
Create a notification for this product.
    Linux Linux Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.17 , ≤ 6.18.* (semver)
Unaffected: 6.19.7 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/dwc/pcie-designware-ep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0",
              "status": "affected",
              "version": "beb4641a787df79a1423a8789d185b6b78fcbfea",
              "versionType": "git"
            },
            {
              "lessThan": "6f60a783860c77b309f7d81003b6a0c73feca49e",
              "status": "affected",
              "version": "beb4641a787df79a1423a8789d185b6b78fcbfea",
              "versionType": "git"
            },
            {
              "lessThan": "eaa6a56801ddd2d9b4980f19e7fe002b00994804",
              "status": "affected",
              "version": "beb4641a787df79a1423a8789d185b6b78fcbfea",
              "versionType": "git"
            },
            {
              "lessThan": "c22533c66ccae10511ad6a7afc34bb26c47577e3",
              "status": "affected",
              "version": "beb4641a787df79a1423a8789d185b6b78fcbfea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/dwc/pcie-designware-ep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry\n\nEndpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X\ninterrupt to the host using a writel(), which generates a PCI posted write\ntransaction.  There\u0027s no completion for posted writes, so the writel() may\nreturn before the PCI write completes.  dw_pcie_ep_raise_msix_irq() also\nunmaps the outbound ATU entry used for the PCI write, so the write races\nwith the unmap.\n\nIf the PCI write loses the race with the ATU unmap, the write may corrupt\nhost memory or cause IOMMU errors, e.g., these when running fio with a\nlarger queue depth against nvmet-pci-epf:\n\n  arm-smmu-v3 fc900000.iommu:      0x0000010000000010\n  arm-smmu-v3 fc900000.iommu:      0x0000020000000000\n  arm-smmu-v3 fc900000.iommu:      0x000000090000f040\n  arm-smmu-v3 fc900000.iommu:      0x0000000000000000\n  arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0\n  arm-smmu-v3 fc900000.iommu: unpriv data write s1 \"Input address caused fault\" stag: 0x0\n\nFlush the write by performing a readl() of the same address to ensure that\nthe write has reached the destination before the ATU entry is unmapped.\n\nThe same problem was solved for dw_pcie_ep_raise_msi_irq() in commit\n8719c64e76bf (\"PCI: dwc: ep: Cache MSI outbound iATU mapping\"), but there\nit was solved by dedicating an outbound iATU only for MSI. We can\u0027t do the\nsame for MSI-X because each vector can have a different msg_addr and the\nmsg_addr may be changed while the vector is masked.\n\n[bhelgaas: commit log]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:05:47.892Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f60a783860c77b309f7d81003b6a0c73feca49e"
        },
        {
          "url": "https://git.kernel.org/stable/c/eaa6a56801ddd2d9b4980f19e7fe002b00994804"
        },
        {
          "url": "https://git.kernel.org/stable/c/c22533c66ccae10511ad6a7afc34bb26c47577e3"
        }
      ],
      "title": "PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23361",
    "datePublished": "2026-03-25T10:27:44.750Z",
    "dateReserved": "2026-01-13T15:37:46.001Z",
    "dateUpdated": "2026-04-13T06:05:47.892Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23361",
      "date": "2026-04-24",
      "epss": "0.00023",
      "percentile": "0.06394"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23361\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-25T11:16:35.060\",\"lastModified\":\"2026-04-24T18:41:30.110\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry\\n\\nEndpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X\\ninterrupt to the host using a writel(), which generates a PCI posted write\\ntransaction.  There\u0027s no completion for posted writes, so the writel() may\\nreturn before the PCI write completes.  dw_pcie_ep_raise_msix_irq() also\\nunmaps the outbound ATU entry used for the PCI write, so the write races\\nwith the unmap.\\n\\nIf the PCI write loses the race with the ATU unmap, the write may corrupt\\nhost memory or cause IOMMU errors, e.g., these when running fio with a\\nlarger queue depth against nvmet-pci-epf:\\n\\n  arm-smmu-v3 fc900000.iommu:      0x0000010000000010\\n  arm-smmu-v3 fc900000.iommu:      0x0000020000000000\\n  arm-smmu-v3 fc900000.iommu:      0x000000090000f040\\n  arm-smmu-v3 fc900000.iommu:      0x0000000000000000\\n  arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0\\n  arm-smmu-v3 fc900000.iommu: unpriv data write s1 \\\"Input address caused fault\\\" stag: 0x0\\n\\nFlush the write by performing a readl() of the same address to ensure that\\nthe write has reached the destination before the ATU entry is unmapped.\\n\\nThe same problem was solved for dw_pcie_ep_raise_msi_irq() in commit\\n8719c64e76bf (\\\"PCI: dwc: ep: Cache MSI outbound iATU mapping\\\"), but there\\nit was solved by dedicating an outbound iATU only for MSI. We can\u0027t do the\\nsame for MSI-X because each vector can have a different msg_addr and the\\nmsg_addr may be changed while the vector is masked.\\n\\n[bhelgaas: commit log]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nPCI: dwc: ep: Vaciar escritura MSI-X antes de desmapear su entrada ATU\\n\\nLos controladores de punto final usan dw_pcie_ep_raise_msix_irq() para generar una interrupci\u00f3n MSI-X al host usando un writel(), lo que genera una transacci\u00f3n de escritura publicada PCI. No hay finalizaci\u00f3n para las escrituras publicadas, por lo que el writel() puede regresar antes de que la escritura PCI se complete. dw_pcie_ep_raise_msix_irq() tambi\u00e9n desmapea la entrada ATU de salida usada para la escritura PCI, por lo que la escritura compite con el desmapeo.\\n\\nSi la escritura PCI pierde la carrera con el desmapeo ATU, la escritura puede corromper la memoria del host o causar errores de IOMMU, por ejemplo, estos al ejecutar fio con una profundidad de cola mayor contra nvmet-pci-epf:\\n\\n  arm-smmu-v3 fc900000.iommu:      0x0000010000000010\\n  arm-smmu-v3 fc900000.iommu:      0x0000020000000000\\n  arm-smmu-v3 fc900000.iommu:      0x000000090000f040\\n  arm-smmu-v3 fc900000.iommu:      0x0000000000000000\\n  arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION cliente: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0\\n  arm-smmu-v3 fc900000.iommu: unpriv data write s1 \u0027Input address caused fault\u0027 stag: 0x0\\n\\nVaciar la escritura realizando un readl() de la misma direcci\u00f3n para asegurar que la escritura ha alcanzado el destino antes de que la entrada ATU sea desmapeada.\\n\\nEl mismo problema fue resuelto para dw_pcie_ep_raise_msi_irq() en el commit 8719c64e76bf (\u0027PCI: dwc: ep: Cacheo de mapeo iATU de salida MSI\u0027), pero all\u00ed fue resuelto dedicando un iATU de salida solo para MSI. No podemos hacer lo mismo para MSI-X porque cada vector puede tener una msg_addr diferente y la msg_addr puede ser cambiada mientras el vector est\u00e1 enmascarado.\\n\\n[bhelgaas: registro de commit]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.1\",\"versionEndExcluding\":\"6.12.77\",\"matchCriteriaId\":\"9CC70BD7-E7C9-4802-B345-09DF8AE28044\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.17\",\"matchCriteriaId\":\"A5E006E4-59C7-43C1-9231-62A72219F2BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.7\",\"matchCriteriaId\":\"69245D10-0B71-485E-80C3-A64F077004D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:4.19:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"CFDAD450-8799-4C2D-80CE-2AA45DEC35CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6f60a783860c77b309f7d81003b6a0c73feca49e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c22533c66ccae10511ad6a7afc34bb26c47577e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/eaa6a56801ddd2d9b4980f19e7fe002b00994804\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.