{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "37764b952e1b39053defc7ebe5dcd8c4e3e78de9"
            },
            {
              "fixed": "48b3f08e68b29a79527869cdde7298ca2a9b9646"
            },
            {
              "fixed": "e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8"
            },
            {
              "fixed": "bc0490ad9edf5c6f98e39fbbee2877b85261a5ae"
            },
            {
              "fixed": "42662d19839f34735b718129ea200e3734b07e50"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "99301a53a1378f8863ac7850b9589f997bb0e125"
            },
            {
              "last_affected": "948ec6d003280d49aca49b366aa5cb140f87434d"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.12.19"
            },
            {
              "fixed": "5.13"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.13.4"
            },
            {
              "fixed": "5.14"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.14.0"
            },
            {
              "fixed": "6.12.77"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.17"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43161.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode\n\nPCIe endpoints with ATS enabled and passed through to userspace\n(e.g., QEMU, DPDK) can hard-lock the host when their link drops,\neither by surprise removal or by a link fault.\n\nCommit 4fc82cd907ac (\"iommu/vt-d: Don't issue ATS Invalidation\nrequest when device is disconnected\") adds pci_dev_is_disconnected()\nto devtlb_invalidation_with_pasid() so ATS invalidation is skipped\nonly when the device is being safely removed, but it applies only\nwhen Intel IOMMU scalable mode is enabled.\n\nWith scalable mode disabled or unsupported, a system hard-lock\noccurs when a PCIe endpoint's link drops because the Intel IOMMU\nwaits indefinitely for an ATS invalidation that cannot complete.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nCommit 81e921fd3216 (\"iommu/vt-d: Fix NULL domain on device release\")\nadds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),\nwhich calls qi_flush_dev_iotlb() and can also hard-lock the system\nwhen a PCIe endpoint's link drops.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n intel_context_flush_no_pasid\n device_pasid_table_teardown\n pci_pasid_table_teardown\n pci_for_each_dma_alias\n intel_pasid_teardown_sm_context\n intel_iommu_release_device\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nSometimes the endpoint loses connection without a link-down event\n(e.g., due to a link fault); killing the process (virsh destroy)\nthen hard-locks the host.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n __iommu_attach_device\n __iommu_device_set_domain\n __iommu_group_set_domain_internal\n iommu_detach_group\n vfio_iommu_type1_detach_group\n vfio_group_detach_container\n vfio_group_fops_release\n __fput\n\npci_dev_is_disconnected() only covers safe-removal paths;\npci_device_is_present() tests accessibility by reading\nvendor/device IDs and internally calls pci_dev_is_disconnected().\nOn a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.\n\nSince __context_flush_dev_iotlb() is only called on\n{attach,release}_dev paths (not hot), add pci_device_is_present()\nthere to skip inaccessible devices and avoid the hard-lock.",
  "id": "CVE-2026-43161",
  "modified": "2026-07-15T01:49:09.058294862Z",
  "published": "2026-05-06T11:27:39.881Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42662d19839f34735b718129ea200e3734b07e50"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7298ca2a9b9646"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2877b85261a5ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43161.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43161"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "summary": "iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode"
}