{"api_version":"1","generated_at":"2026-05-11T05:55:43+00:00","cve":"CVE-2026-43220","urls":{"html":"https://cve.report/CVE-2026-43220","api":"https://cve.report/api/cve/CVE-2026-43220.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43220","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43220"},"summary":{"title":"iommu/amd: serialize sequence allocation under concurrent TLB invalidations","description":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: serialize sequence allocation under concurrent TLB invalidations\n\nWith concurrent TLB invalidations, completion wait randomly gets timed out\nbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowing\nCMD_COMPL_WAIT commands to be queued out of sequence and breaking the\nordering assumption in wait_on_sem().\nMove the cmd_sem_val increment under iommu->lock so completion sequence\nallocation is serialized with command queuing.\nAnd remove the unnecessary return.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 12:16:41","updated_at":"2026-05-06 13:07:51"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d","name":"https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4","name":"https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242","name":"https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43220","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43220","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e15768e68820142077bbca402d8e902f64ade1b0 5000ce7fcb31067566a1a1a2e5b5bbff93625242 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 496269d12072ecb219826485bdbec70c92a8eef5 48caa7542a795c9679ec1bd1bc2592e05a7369a4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d2a0cac10597068567d336e85fa3cbdbe8ca62bf 9e249c48412828e807afddc21527eb734dc9bd3d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2f65b28d802a667119147444ec2ae33eebf9a58 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 715c263119fd1b918a9fcbd8a36ea5b604a46324 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/iommu/amd/amd_iommu_types.h","drivers/iommu/amd/init.c","drivers/iommu/amd/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"5000ce7fcb31067566a1a1a2e5b5bbff93625242","status":"affected","version":"e15768e68820142077bbca402d8e902f64ade1b0","versionType":"git"},{"lessThan":"48caa7542a795c9679ec1bd1bc2592e05a7369a4","status":"affected","version":"496269d12072ecb219826485bdbec70c92a8eef5","versionType":"git"},{"lessThan":"9e249c48412828e807afddc21527eb734dc9bd3d","status":"affected","version":"d2a0cac10597068567d336e85fa3cbdbe8ca62bf","versionType":"git"},{"status":"affected","version":"f2f65b28d802a667119147444ec2ae33eebf9a58","versionType":"git"},{"status":"affected","version":"715c263119fd1b918a9fcbd8a36ea5b604a46324","versionType":"git"}]},{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/iommu/amd/amd_iommu_types.h","drivers/iommu/amd/init.c","drivers/iommu/amd/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux"}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.128","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.75","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: serialize sequence allocation under concurrent TLB invalidations\n\nWith concurrent TLB invalidations, completion wait randomly gets timed out\nbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowing\nCMD_COMPL_WAIT commands to be queued out of sequence and breaking the\nordering assumption in wait_on_sem().\nMove the cmd_sem_val increment under iommu->lock so completion sequence\nallocation is serialized with command queuing.\nAnd remove the unnecessary return."}],"providerMetadata":{"dateUpdated":"2026-05-06T11:28:20.905Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242"},{"url":"https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4"},{"url":"https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d"}],"title":"iommu/amd: serialize sequence allocation under concurrent TLB invalidations","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43220","datePublished":"2026-05-06T11:28:20.905Z","dateReserved":"2026-05-01T14:12:55.994Z","dateUpdated":"2026-05-06T11:28:20.905Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 12:16:41","lastModifiedDate":"2026-05-06 13:07:51","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43220","Ordinal":"1","Title":"iommu/amd: serialize sequence allocation under concurrent TLB in","CVE":"CVE-2026-43220","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43220","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: serialize sequence allocation under concurrent TLB invalidations\n\nWith concurrent TLB invalidations, completion wait randomly gets timed out\nbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowing\nCMD_COMPL_WAIT commands to be queued out of sequence and breaking the\nordering assumption in wait_on_sem().\nMove the cmd_sem_val increment under iommu->lock so completion sequence\nallocation is serialized with command queuing.\nAnd remove the unnecessary return.","Type":"Description","Title":"iommu/amd: serialize sequence allocation under concurrent TLB in"}]}}}