CVE-2026-31735

EUVD-2026-26548

01.05.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

iommupt: Fix short gather if the unmap goes into a large mapping

unmap has the odd behavior that it can unmap more than requested if the
ending point lands within the middle of a large or contiguous IOPTE.

In this case the gather should flush everything unmapped which can be
larger than what was requested to be unmapped. The gather was only
flushing the range requested to be unmapped, not extending to the extra
range, resulting in a short invalidation if the caller hits this special
condition.

This was found by the new invalidation/gather test I am adding in
preparation for ARMv8. Claude deduced the root cause.

As far as I remember nothing relies on unmapping a large entry, so this is
likely not a triggerable bug.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.164-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-3 fixed
forky	6.19.14-1 fixed
sid	7.0.3-1 fixed
trixie	6.12.73-1 fixed
trixie (security)	6.12.85-1 fixed

References

https://git.kernel.org/stable/c/50ecd96a28f712f8b682c0441f4cb9b086d28816

https://git.kernel.org/stable/c/ee6e69d032550687a3422504bfca3f834c7b5061