{"api_version":"1","generated_at":"2026-05-03T12:43:37+00:00","cve":"CVE-2026-31735","urls":{"html":"https://cve.report/CVE-2026-31735","api":"https://cve.report/api/cve/CVE-2026-31735.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31735","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31735"},"summary":{"title":"iommupt: Fix short gather if the unmap goes into a large mapping","description":"In the Linux kernel, the following vulnerability has been resolved:\n\niommupt: Fix short gather if the unmap goes into a large mapping\n\nunmap has the odd behavior that it can unmap more than requested if the\nending point lands within the middle of a large or contiguous IOPTE.\n\nIn this case the gather should flush everything unmapped which can be\nlarger than what was requested to be unmapped. The gather was only\nflushing the range requested to be unmapped, not extending to the extra\nrange, resulting in a short invalidation if the caller hits this special\ncondition.\n\nThis was found by the new invalidation/gather test I am adding in\npreparation for ARMv8. Claude deduced the root cause.\n\nAs far as I remember nothing relies on unmapping a large entry, so this is\nlikely not a triggerable bug.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-01 15:16:36","updated_at":"2026-05-03 07:16:19"},"problem_types":[],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/ee6e69d032550687a3422504bfca3f834c7b5061","name":"https://git.kernel.org/stable/c/ee6e69d032550687a3422504bfca3f834c7b5061","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/50ecd96a28f712f8b682c0441f4cb9b086d28816","name":"https://git.kernel.org/stable/c/50ecd96a28f712f8b682c0441f4cb9b086d28816","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31735","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31735","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c53f4238aa8bfb476e177263133ead2eeb8d55d 50ecd96a28f712f8b682c0441f4cb9b086d28816 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c53f4238aa8bfb476e177263133ead2eeb8d55d ee6e69d032550687a3422504bfca3f834c7b5061 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.12 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31735","cve":"CVE-2026-31735","epss":"0.000180000","percentile":"0.050050000","score_date":"2026-05-02","updated_at":"2026-05-03 00:00:23"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/iommu/generic_pt/iommu_pt.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"50ecd96a28f712f8b682c0441f4cb9b086d28816","status":"affected","version":"7c53f4238aa8bfb476e177263133ead2eeb8d55d","versionType":"git"},{"lessThan":"ee6e69d032550687a3422504bfca3f834c7b5061","status":"affected","version":"7c53f4238aa8bfb476e177263133ead2eeb8d55d","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/iommu/generic_pt/iommu_pt.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.19"},{"lessThan":"6.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.12","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.12","versionStartIncluding":"6.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommupt: Fix short gather if the unmap goes into a large mapping\n\nunmap has the odd behavior that it can unmap more than requested if the\nending point lands within the middle of a large or contiguous IOPTE.\n\nIn this case the gather should flush everything unmapped which can be\nlarger than what was requested to be unmapped. The gather was only\nflushing the range requested to be unmapped, not extending to the extra\nrange, resulting in a short invalidation if the caller hits this special\ncondition.\n\nThis was found by the new invalidation/gather test I am adding in\npreparation for ARMv8. Claude deduced the root cause.\n\nAs far as I remember nothing relies on unmapping a large entry, so this is\nlikely not a triggerable bug."}],"metrics":[{"cvssV3_1":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-03T05:45:41.300Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/50ecd96a28f712f8b682c0441f4cb9b086d28816"},{"url":"https://git.kernel.org/stable/c/ee6e69d032550687a3422504bfca3f834c7b5061"}],"title":"iommupt: Fix short gather if the unmap goes into a large mapping","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31735","datePublished":"2026-05-01T14:14:32.923Z","dateReserved":"2026-03-09T15:48:24.137Z","dateUpdated":"2026-05-03T05:45:41.300Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-01 15:16:36","lastModifiedDate":"2026-05-03 07:16:19","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2,"impactScore":6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31735","Ordinal":"1","Title":"iommupt: Fix short gather if the unmap goes into a large mapping","CVE":"CVE-2026-31735","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31735","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\niommupt: Fix short gather if the unmap goes into a large mapping\n\nunmap has the odd behavior that it can unmap more than requested if the\nending point lands within the middle of a large or contiguous IOPTE.\n\nIn this case the gather should flush everything unmapped which can be\nlarger than what was requested to be unmapped. The gather was only\nflushing the range requested to be unmapped, not extending to the extra\nrange, resulting in a short invalidation if the caller hits this special\ncondition.\n\nThis was found by the new invalidation/gather test I am adding in\npreparation for ARMv8. Claude deduced the root cause.\n\nAs far as I remember nothing relies on unmapping a large entry, so this is\nlikely not a triggerable bug.","Type":"Description","Title":"iommupt: Fix short gather if the unmap goes into a large mapping"}]}}}