CVE-2026-43486

EPSS 0.02%
Veröffentlicht 13.05.2026 15:08:32
Zuletzt bearbeitet 13.05.2026 16:16:51
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults

In the Linux kernel, the following vulnerability has been resolved:

arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults

contpte_ptep_set_access_flags() compared the gathered ptep_get() value
against the requested entry to detect no-ops. ptep_get() ORs AF/dirty
from all sub-PTEs in the CONT block, so a dirty sibling can make the
target appear already-dirty. When the gathered value matches entry, the
function returns 0 even though the target sub-PTE still has PTE_RDONLY
set in hardware.

For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may
set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered
across the CONT range. But page-table walkers that evaluate each
descriptor individually (e.g. a CPU without DBM support, or an SMMU
without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the
unchanged target sub-PTE, causing an infinite fault loop.

Gathering can therefore cause false no-ops when only a sibling has been
updated:
 - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
 - read faults:  target still lacks PTE_AF

Fix by checking each sub-PTE against the requested AF/dirty/write state
(the same bits consumed by __ptep_set_access_flags()), using raw
per-PTE values rather than the gathered ptep_get() view, before
returning no-op. Keep using the raw target PTE for the write-bit unfold
decision.

Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT
range may become the effective cached translation and software must
maintain consistent attributes across the range.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

CNA 2 VulnDex Vulnerability Enrichment 12

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version 4602e5757bcceb231c3a13c36c373ad4a750eddb

Version < 05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0

Status affected

Version 4602e5757bcceb231c3a13c36c373ad4a750eddb

Version < 6f92a7a8b48a523f910ef25dd83808710724f59b

Status affected

Version 4602e5757bcceb231c3a13c36c373ad4a750eddb

Version < 09d620555e59768776090073a2c59d2bc8506eb3

Status affected

Version 4602e5757bcceb231c3a13c36c373ad4a750eddb

Version < 97c5550b763171dbef61e6239cab372b9f9cd4a2

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.9

Status affected

Version 0

Version < 6.9

Status unaffected

Version <= 6.12.*

Version 6.12.78

Status unaffected

Version <= 6.18.*

Version 6.18.19

Status unaffected

Version <= 6.19.*

Version 6.19.9

Status unaffected

Version <= *

Version 7.0

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.047

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0

https://git.kernel.org/stable/c/6f92a7a8b48a523f910ef25dd83808710724f59b

https://git.kernel.org/stable/c/09d620555e59768776090073a2c59d2bc8506eb3

https://git.kernel.org/stable/c/97c5550b763171dbef61e6239cab372b9f9cd4a2

https://nvd.nist.gov/vuln/detail/CVE-2026-43486

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43486

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43486

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-43486