{"api_version":"1","generated_at":"2026-04-26T11:23:39+00:00","cve":"CVE-2026-23361","urls":{"html":"https://cve.report/CVE-2026-23361","api":"https://cve.report/api/cve/CVE-2026-23361.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23361","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23361"},"summary":{"title":"PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry\n\nEndpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X\ninterrupt to the host using a writel(), which generates a PCI posted write\ntransaction.  There's no completion for posted writes, so the writel() may\nreturn before the PCI write completes.  dw_pcie_ep_raise_msix_irq() also\nunmaps the outbound ATU entry used for the PCI write, so the write races\nwith the unmap.\n\nIf the PCI write loses the race with the ATU unmap, the write may corrupt\nhost memory or cause IOMMU errors, e.g., these when running fio with a\nlarger queue depth against nvmet-pci-epf:\n\n  arm-smmu-v3 fc900000.iommu:      0x0000010000000010\n  arm-smmu-v3 fc900000.iommu:      0x0000020000000000\n  arm-smmu-v3 fc900000.iommu:      0x000000090000f040\n  arm-smmu-v3 fc900000.iommu:      0x0000000000000000\n  arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0\n  arm-smmu-v3 fc900000.iommu: unpriv data write s1 \"Input address caused fault\" stag: 0x0\n\nFlush the write by performing a readl() of the same address to ensure that\nthe write has reached the destination before the ATU entry is unmapped.\n\nThe same problem was solved for dw_pcie_ep_raise_msi_irq() in commit\n8719c64e76bf (\"PCI: dwc: ep: Cache MSI outbound iATU mapping\"), but there\nit was solved by dedicating an outbound iATU only for MSI. We can't do the\nsame for MSI-X because each vector can have a different msg_addr and the\nmsg_addr may be changed while the vector is masked.\n\n[bhelgaas: commit log]","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-25 11:16:35","updated_at":"2026-04-24 18:41:30"},"problem_types":["CWE-787"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/eaa6a56801ddd2d9b4980f19e7fe002b00994804","name":"https://git.kernel.org/stable/c/eaa6a56801ddd2d9b4980f19e7fe002b00994804","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6f60a783860c77b309f7d81003b6a0c73feca49e","name":"https://git.kernel.org/stable/c/6f60a783860c77b309f7d81003b6a0c73feca49e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c22533c66ccae10511ad6a7afc34bb26c47577e3","name":"https://git.kernel.org/stable/c/c22533c66ccae10511ad6a7afc34bb26c47577e3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0","name":"https://git.kernel.org/stable/c/a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23361","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23361","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected beb4641a787df79a1423a8789d185b6b78fcbfea a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected beb4641a787df79a1423a8789d185b6b78fcbfea 6f60a783860c77b309f7d81003b6a0c73feca49e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected beb4641a787df79a1423a8789d185b6b78fcbfea eaa6a56801ddd2d9b4980f19e7fe002b00994804 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected beb4641a787df79a1423a8789d185b6b78fcbfea c22533c66ccae10511ad6a7afc34bb26c47577e3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.77 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.17 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.7 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"23361","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/pci/controller/dwc/pcie-designware-ep.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0","status":"affected","version":"beb4641a787df79a1423a8789d185b6b78fcbfea","versionType":"git"},{"lessThan":"6f60a783860c77b309f7d81003b6a0c73feca49e","status":"affected","version":"beb4641a787df79a1423a8789d185b6b78fcbfea","versionType":"git"},{"lessThan":"eaa6a56801ddd2d9b4980f19e7fe002b00994804","status":"affected","version":"beb4641a787df79a1423a8789d185b6b78fcbfea","versionType":"git"},{"lessThan":"c22533c66ccae10511ad6a7afc34bb26c47577e3","status":"affected","version":"beb4641a787df79a1423a8789d185b6b78fcbfea","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/pci/controller/dwc/pcie-designware-ep.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.19"},{"lessThan":"4.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.77","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.17","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.77","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.17","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.7","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"4.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry\n\nEndpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X\ninterrupt to the host using a writel(), which generates a PCI posted write\ntransaction.  There's no completion for posted writes, so the writel() may\nreturn before the PCI write completes.  dw_pcie_ep_raise_msix_irq() also\nunmaps the outbound ATU entry used for the PCI write, so the write races\nwith the unmap.\n\nIf the PCI write loses the race with the ATU unmap, the write may corrupt\nhost memory or cause IOMMU errors, e.g., these when running fio with a\nlarger queue depth against nvmet-pci-epf:\n\n  arm-smmu-v3 fc900000.iommu:      0x0000010000000010\n  arm-smmu-v3 fc900000.iommu:      0x0000020000000000\n  arm-smmu-v3 fc900000.iommu:      0x000000090000f040\n  arm-smmu-v3 fc900000.iommu:      0x0000000000000000\n  arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0\n  arm-smmu-v3 fc900000.iommu: unpriv data write s1 \"Input address caused fault\" stag: 0x0\n\nFlush the write by performing a readl() of the same address to ensure that\nthe write has reached the destination before the ATU entry is unmapped.\n\nThe same problem was solved for dw_pcie_ep_raise_msi_irq() in commit\n8719c64e76bf (\"PCI: dwc: ep: Cache MSI outbound iATU mapping\"), but there\nit was solved by dedicating an outbound iATU only for MSI. We can't do the\nsame for MSI-X because each vector can have a different msg_addr and the\nmsg_addr may be changed while the vector is masked.\n\n[bhelgaas: commit log]"}],"providerMetadata":{"dateUpdated":"2026-04-13T06:05:47.892Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0"},{"url":"https://git.kernel.org/stable/c/6f60a783860c77b309f7d81003b6a0c73feca49e"},{"url":"https://git.kernel.org/stable/c/eaa6a56801ddd2d9b4980f19e7fe002b00994804"},{"url":"https://git.kernel.org/stable/c/c22533c66ccae10511ad6a7afc34bb26c47577e3"}],"title":"PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23361","datePublished":"2026-03-25T10:27:44.750Z","dateReserved":"2026-01-13T15:37:46.001Z","dateUpdated":"2026-04-13T06:05:47.892Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 11:16:35","lastModifiedDate":"2026-04-24 18:41:30","problem_types":["CWE-787"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.1","versionEndExcluding":"6.12.77","matchCriteriaId":"9CC70BD7-E7C9-4802-B345-09DF8AE28044"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.17","matchCriteriaId":"A5E006E4-59C7-43C1-9231-62A72219F2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:-:*:*:*:*:*:*","matchCriteriaId":"CFDAD450-8799-4C2D-80CE-2AA45DEC35CE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23361","Ordinal":"1","Title":"PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry","CVE":"CVE-2026-23361","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23361","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry\n\nEndpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X\ninterrupt to the host using a writel(), which generates a PCI posted write\ntransaction.  There's no completion for posted writes, so the writel() may\nreturn before the PCI write completes.  dw_pcie_ep_raise_msix_irq() also\nunmaps the outbound ATU entry used for the PCI write, so the write races\nwith the unmap.\n\nIf the PCI write loses the race with the ATU unmap, the write may corrupt\nhost memory or cause IOMMU errors, e.g., these when running fio with a\nlarger queue depth against nvmet-pci-epf:\n\n  arm-smmu-v3 fc900000.iommu:      0x0000010000000010\n  arm-smmu-v3 fc900000.iommu:      0x0000020000000000\n  arm-smmu-v3 fc900000.iommu:      0x000000090000f040\n  arm-smmu-v3 fc900000.iommu:      0x0000000000000000\n  arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0\n  arm-smmu-v3 fc900000.iommu: unpriv data write s1 \"Input address caused fault\" stag: 0x0\n\nFlush the write by performing a readl() of the same address to ensure that\nthe write has reached the destination before the ATU entry is unmapped.\n\nThe same problem was solved for dw_pcie_ep_raise_msi_irq() in commit\n8719c64e76bf (\"PCI: dwc: ep: Cache MSI outbound iATU mapping\"), but there\nit was solved by dedicating an outbound iATU only for MSI. We can't do the\nsame for MSI-X because each vector can have a different msg_addr and the\nmsg_addr may be changed while the vector is masked.\n\n[bhelgaas: commit log]","Type":"Description","Title":"PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry"}]}}}