CVE-2025-38062

UNKNOWN 0.0

genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached. Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the "container" after starting up. However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()). This potentially causes both the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path to become UAFs. Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommu_dma_prepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor. The other UAF related to iommu_get_domain_for_dev() will be addressed in patch "iommu: Make iommu_dma_prepare_msi() into a generic operation" by using the IOMMU group mutex.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Jun 18, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

ece6e6f0218b7777e650bf93728130ae6f4feb7d < e4d3763223c7b72ded53425207075e7453b4e3d5 ece6e6f0218b7777e650bf93728130ae6f4feb7d < ba41e4e627db51d914444aee0b93eb67f31fa330 ece6e6f0218b7777e650bf93728130ae6f4feb7d < 53f42776e435f63e5f8e61955e4c205dbfeaf524 ece6e6f0218b7777e650bf93728130ae6f4feb7d < 856152eb91e67858a09e30a7149a1f29b04b7384 ece6e6f0218b7777e650bf93728130ae6f4feb7d < 1f7df3a691740a7736bbc99dc4ed536120eb4746

Linux / Linux

5.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/e4d3763223c7b72ded53425207075e7453b4e3d5 git.kernel.org: https://git.kernel.org/stable/c/ba41e4e627db51d914444aee0b93eb67f31fa330 git.kernel.org: https://git.kernel.org/stable/c/53f42776e435f63e5f8e61955e4c205dbfeaf524 git.kernel.org: https://git.kernel.org/stable/c/856152eb91e67858a09e30a7149a1f29b04b7384 git.kernel.org: https://git.kernel.org/stable/c/1f7df3a691740a7736bbc99dc4ed536120eb4746 lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html