{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43220", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.994Z", "datePublished": "2026-05-06T11:28:20.905Z", "dateUpdated": "2026-05-14T14:30:14.695Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-14T14:30:14.695Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: serialize sequence allocation under concurrent TLB invalidations\n\nWith concurrent TLB invalidations, completion wait randomly gets timed out\nbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowing\nCMD_COMPL_WAIT commands to be queued out of sequence and breaking the\nordering assumption in wait_on_sem().\nMove the cmd_sem_val increment under iommu->lock so completion sequence\nallocation is serialized with command queuing.\nAnd remove the unnecessary return."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/amd/amd_iommu_types.h", "drivers/iommu/amd/init.c", "drivers/iommu/amd/iommu.c"], "versions": [{"version": "715c263119fd1b918a9fcbd8a36ea5b604a46324", "lessThan": "fca7aa0264ae99e5ff287d0ced5af0b82b121c4f", "status": "affected", "versionType": "git"}, {"version": "e15768e68820142077bbca402d8e902f64ade1b0", "lessThan": "5000ce7fcb31067566a1a1a2e5b5bbff93625242", "status": "affected", "versionType": "git"}, {"version": "496269d12072ecb219826485bdbec70c92a8eef5", "lessThan": "48caa7542a795c9679ec1bd1bc2592e05a7369a4", "status": "affected", "versionType": "git"}, {"version": "d2a0cac10597068567d336e85fa3cbdbe8ca62bf", "lessThan": "9e249c48412828e807afddc21527eb734dc9bd3d", "status": "affected", "versionType": "git"}, {"version": "f2f65b28d802a667119147444ec2ae33eebf9a58", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/amd/amd_iommu_types.h", "drivers/iommu/amd/init.c", "drivers/iommu/amd/iommu.c"], "versions": [{"version": "6.12.75", "lessThan": "6.12.88", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.75", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.128"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fca7aa0264ae99e5ff287d0ced5af0b82b121c4f"}, {"url": "https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242"}, {"url": "https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4"}, {"url": "https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d"}], "title": "iommu/amd: serialize sequence allocation under concurrent TLB invalidations", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B503BA3C-31FA-4897-85F6-EECE0EE4668F", "versionEndExcluding": "6.7", "versionStartIncluding": "6.6.128", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "72DA13D5-CC16-4529-9803-274233ABE12C", "versionEndExcluding": "6.13", "versionStartIncluding": "6.12.75", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: serialize sequence allocation under concurrent TLB invalidations\n\nWith concurrent TLB invalidations, completion wait randomly gets timed out\nbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowing\nCMD_COMPL_WAIT commands to be queued out of sequence and breaking the\nordering assumption in wait_on_sem().\nMove the cmd_sem_val increment under iommu->lock so completion sequence\nallocation is serialized with command queuing.\nAnd remove the unnecessary return."}], "id": "CVE-2026-43220", "lastModified": "2026-05-14T15:16:47.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-05-06T12:16:41.660", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fca7aa0264ae99e5ff287d0ced5af0b82b121c4f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: iommu/amd: serialize sequence allocation under concurrent TLB invalidations", "id": "2467088", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467088"}, "csaw": false, "cwe": "CWE-1066", "details": ["A flaw was found in the Linux kernel, specifically within the `iommu/amd` component responsible for managing memory access. This vulnerability arises from an issue in how commands are processed during concurrent memory invalidations, causing them to be queued out of sequence. This can lead to system instability and timeouts, potentially allowing an attacker to trigger a Denial of Service (DoS) condition, rendering the system unavailable."], "name": "CVE-2026-43220", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43220\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43220\nhttps://lore.kernel.org/linux-cve-announce/2026050652-CVE-2026-43220-cf2b@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e15768e68820142077bbca402d8e902f64ade1b0,5000ce7fcb31067566a1a1a2e5b5bbff93625242)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[496269d12072ecb219826485bdbec70c92a8eef5,48caa7542a795c9679ec1bd1bc2592e05a7369a4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d2a0cac10597068567d336e85fa3cbdbe8ca62bf,9e249c48412828e807afddc21527eb734dc9bd3d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f2f65b28d802a667119147444ec2ae33eebf9a58"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "715c263119fd1b918a9fcbd8a36ea5b604a46324"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-06T15:30:06.079338+00:00", "updated": "2026-05-12T21:45:05.391867+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}